Table of Contents
Note: This article is intended for customers with licensed migRaven.24/7 access management.
Blacklist of accounts that are not allowed to be removed from ACLs
The migRaven.24/7 access management The goal is to clean up and standardize the previous permissions in order to generate a “clean” ACL. For this reason, all accounts that are not in the Showcase Blacklist (1) will be removed from the managed ACL the first time you set permissions with the migRaven.24/7 access management manage on a directory. This applies to all permission endpoints, the directory to which the permission is set.
Directories located on the path between the share and the permissions endpoint are not cleaned up. These directories receive the necessary list permissions.
To protect existing permissions that may never be removed from an ACL, there is the option of creating a blacklist in the Blacklist Tool under C:\Program Files\migRavenDBServiceHost\migRavenBlacklistTool.exe of yours migRaven Servers define. In the rider Showcase (1) a list of all accounts with full access is listed. Here he can migRaven Administrator configure which of these accounts may never be removed from an ACL by checking the blacklist checkbox (2) accordingly.
This can be interesting, for example, if you B. a group of file server administrators had to explicitly authorize an inheritance break.
The migRaven Blacklist tool shows all accounts currently on your account, already scanned and in the migRaven Database stored file server resources have full access.
After selecting the accounts, save your configuration (3).
Automatic protection of list permissions in permissions management
Permissions with the propagation “This folder only” and “This folder, subfolders” are generally excluded from the cleanup. The migRaven.24/7 access management does not delete these rights because it assumes that they exist for a reason to enable deeper permissions.
This is always the case when permissions are managed at different levels. E.g. in the first and second levels of a directory tree. Then the list authorizations of the first level are required to maintain the functionality of the second level.
How to exclude users or groups from search?
With these filters, the results of the account search when assigning authorization are restricted so that the authorizing user is only offered those users or groups that can actually be authorized manually when assigning authorization to a directory.
The filters, blacklist and/or whitelist, are partly in the Active Directory, recursively, or in the standalone migRaven Blacklist tool, dynamic, managed.
(Dynamic) Filter for Group Accounts (Blacklist or Whitelist)(Direct)
The dynamic filter is maintained in a dedicated tool, which you can find at C:\Program Files\migRavenDBServiceHost\migRavenFind BlacklistTool.exe.
Under the Tokens tab (5) you will find all affixes, prefixes and suffixes that were found during the scan of your Active Directory and that you can add to your blacklist / whitelist so that these groups can no longer be found in the account search.
The functionality is based purely on components of groups. Individual groups cannot be selected directly.
If you want to use very specific groups, you should clearly type these groups in advance, e.g. B. through uniform prefixes. For example, RO_ for role groups in which users who perform the function of the role can be found, or GRP_ in which you group users together depending on their department affiliation.
In the drop-down menu (6) you can switch between blacklist and whitelist.
In the Token column (7) select the ones you want to add to the blacklist, in the Filter option column (8) define whether this is a prefix, a suffix or both under the token separator (9). Enter the appropriate separator that follows the prefix or precedes the suffix; multiple entries are possible here. Finally, save (10) your configuration.
Dynamic blacklisting is applied directly, unlike blacklisting via AD groups, which requires an AD rescan.
Note: The dynamic filter does not work recursively.
Advantage of dynamic blacklisting: This means that future accounts with the corresponding affixes are also automatically taken into account.
Filter for Active Directory User Accounts (Blacklist/Whitelist) (Direct/Indirect)
These filters are managed directly via groups in Active Directory.
With licensed migRaven.24/7 access management you should create two groups directly in the OU (11) in which migRaven the authorization groups are created. These settings, target OU and group naming convention, are used in the migRaven Admin Client in the Settings configured.
The groups must have these names:
- migRaven-FSS Blacklist
- migRaven-FSS whitelist
Important: These filters work recursively! So if a group is a member of the blacklist group, the members of this group, user accounts, will no longer be displayed in the account search. The way the whitelist group works is identical. The groups can still be found by name in the account search.
The filters for groups are described below.
Important: The group type can be freely chosen. To ensure full flexibility, e.g. B. To blacklist/whitelist groups from other domains, we recommend using domain-local groups (12).
In addition to the Backlist group you should always have one too Whitelist group so you can make a subset of the members, users, blacklist group available in account search.
Example: You blacklist the group ro_domain_admins, but need to explicitly authorize the user EDAdmin on a regular basis, then make EDAdmin a member of the whitelist group.
After rescanning the Active Directory, EDAdmin is the only member of the ro_domain_admins group that can be found in the account search. At this point in time, the ro_domain_admins group can still be found.
We strongly recommend dynamically blacklisting the ro_ prefix, as described above!
We also recommend the Local (in domain) group area for the whitelist group in order to be able to operate across domains if necessary.
Please contact our support for assistance using the blacklist and filter tool. support@migRaven.com