DATADVANTAGE 6.

3
User Guide
Publishing Information
Software version 6.3.160
Document version 9
Publication date May 22, 2017

Copyright (c) 2005 - 2017 Varonis Systems Inc.

All rights reserved.
This information shall only be used in conjunction with services contracted for
with Varonis Systems, Inc. and shall not be used to the detriment of Varonis
Systems, Inc. in any manner. User agrees not to copy, reproduce, sell, license,
or transfer this information without prior written consent of Varonis Systems, Inc.
Other brands and products are trademarks of their respective holders.
 CONTENTS

Chapter  1:  DatAdvantage............................................................................................................................................1

Terminology............................................................................................................................................................... 1
Target Audience......................................................................................................................................................5
Related Documentation.........................................................................................................................................5
Chapter  2:  Basic Concepts.......................................................................................................................................6
File Server Probe.................................................................................................................................................... 6
File Server Event Data Collection................................................................................................................. 6
File Server Structure Data Collection...........................................................................................................7
Handling of Events on the Same Entity.......................................................................................................7
Directory Service Probe........................................................................................................................................ 7
IDU Server.................................................................................................................................................................8
Active Directory Data Collection................................................................................................................... 8
DatAdvantage Data Aggregation.................................................................................................................. 8
Bidirectional Clustering.................................................................................................................................... 9
IDU Analytics....................................................................................................................................................... 9
DatAdvantage Management................................................................................................................................ 9
Risk Assessment............................................................................................................................................... 10
Permission Management................................................................................................................................ 10
Auditing and Reporting...................................................................................................................................10
Events and Usage Policies............................................................................................................................. 11
User Roles, Permissions and Security Model............................................................................................... 12
Abstract Entities............................................................................................................................................... 22
Ownership and Custodianship......................................................................................................................... 23
Custodians and Owners vs. Application Roles....................................................................................... 24
UI Visibility Limitations for Owners and Custodians..............................................................................25
Custodians, Owners and Reports............................................................................................................... 27
Multiple Owners............................................................................................................................................... 27
Ownership Inheritance................................................................................................................................... 28
Directory Service Account Management.......................................................................................................29
Share Visibility in DatAdvantage..................................................................................................................... 30
Synchronization of Ownership with DataPrivilege......................................................................................30
Accessibility for Color Blind Users................................................................................................................... 31
Chapter  3:  Workflows...............................................................................................................................................32
Reviewing and Applying Analysis Recommendations............................................................................... 32
Reviewing Known Data By Folder..............................................................................................................32
Reviewing Known Groups.............................................................................................................................32
Reviewing Similar Data.................................................................................................................................. 33
Validating and Applying Changes.............................................................................................................. 33
Identifying Unusual Behavior............................................................................................................................ 34
Using DatAdvantage to Move from Share to NTFS Permissions............................................................35
Reviewing Activities............................................................................................................................................. 36
Using DatAdvantage to Understand Security Changes............................................................................ 36

DATADVANTAGE 6.3 USER GUIDE iii

    CONTENTS

Chapter 4: Getting Started..................................................................................................................................... 38
Starting DatAdvantage........................................................................................................................................ 38
DatAdvantage's Graphical User Interface..................................................................................................... 38
DatAdvantage Views....................................................................................................................................... 41
Menus and Toolbar.........................................................................................................................................42
DatAdvantage Status Bar.............................................................................................................................. 44
Displaying the DatAdvantage Legend.......................................................................................................44
Keyboard Shortcuts......................................................................................................................................... 47
Closing DatAdvantage........................................................................................................................................ 52
Chapter 5: Common Activities.............................................................................................................................. 53
Setting User Interface Display Options..........................................................................................................53
Switching Views.................................................................................................................................................... 53
Selecting Resources............................................................................................................................................ 54
Showing and Hiding Window Panes.............................................................................................................. 56
Using the Current Active Entity List................................................................................................................56
Using the Directory Services Search Dialog Box........................................................................................57
Using the Directory Picker Dialog Box.......................................................................................................... 58
Navigating Directories and Files......................................................................................................................59
Searching for Directories and Files............................................................................................................59
Understanding Logical and Physical Views.............................................................................................59
Focusing on Directories and Files by View State..................................................................................62
Viewing the Tree According to Permission Types................................................................................ 64
Grouping Exchange Entities......................................................................................................................... 64
Showing and Hiding Management Indicators......................................................................................... 66
Showing and Hiding Deduplication Indicators........................................................................................66
Viewing Columns in the Directories Pane............................................................................................... 66
Filtering Directories and Files...................................................................................................................... 67
Clearing Filters................................................................................................................................................. 68
Navigating User and Group Lists.................................................................................................................... 68
Reloading User or Group Information....................................................................................................... 69
Arranging Users and Groups....................................................................................................................... 69
Filtering User and Group Lists.....................................................................................................................70
Switching between Parent and Child Views.............................................................................................71
Viewing Users and Groups According to Permission Types...............................................................73
Selecting Display Name Settings for Users or Groups......................................................................... 73
Showing or Hiding Managed Group Indicators.......................................................................................74
Showing or Hiding Inactivity Indicators.....................................................................................................75
Showing or Hiding Excluded from IDU Analytics Indicators................................................................75
Editing the Displayed Columns................................................................................................................... 76
Selecting Organizational Units..................................................................................................................... 77
Moving Users and Groups to the Top of the List.................................................................................. 79
Searching for Users or Groups....................................................................................................................79
Viewing Azure Active Directory Objects in the Users & Groups Pane.............................................79
Managing Ownership and Custodianship...................................................................................................... 81
About Uploading Owners...............................................................................................................................81
Assigning Owners, Custodians and Entities Throughout the System...............................................84

DATADVANTAGE 6.3 USER GUIDE iv

    CONTENTS

Assigning Managed Entities to a Single Owner..................................................................................... 88

Adding Managed Resources to a Single Group.................................................................................... 90
Setting Ownership on a Group................................................................................................................... 92
Assigning Owners to a Single Managed Directory............................................................................... 96
Dragging and Dropping Owners and Entities......................................................................................... 97
Filtering the Managed Entities List............................................................................................................. 97
Replacing or Cloning Owners Throughout the System........................................................................99
Removing Owners or Custodians from Entities.................................................................................... 100
Exporting Owner Lists to CSV.................................................................................................................... 101
About Change Management and Commit...................................................................................................103
What Should Be Committed....................................................................................................................... 103
Committing Changes on SharePoint File Servers................................................................................ 105
Accessing the Change Management and Commit Window.............................................................. 105
Managing Pending Changes...................................................................................................................... 106
Managing Commit Processes......................................................................................................................116
Exporting Changes and Processes to CSV............................................................................................ 123
Editing the Displayed Columns..................................................................................................................124
Archiving Events, Statistics and Committed Processes........................................................................... 128
Selecting Events, Statistics and Committed Processes...................................................................... 128
Archiving Events, Statistics and Committed Processes...................................................................... 130
Restoring Archived Data.............................................................................................................................. 130
Restoring Data Per User............................................................................................................................... 131
Deleting Archived Data................................................................................................................................ 134
Managing IDU Servers.......................................................................................................................................134
Adding IDU Connections............................................................................................................................. 134
Removing IDU Connections........................................................................................................................135
Configuring Dictionaries....................................................................................................................................136
Adding Dictionaries........................................................................................................................................137
Editing Dictionaries........................................................................................................................................ 139
Cloning Dictionaries...................................................................................................................................... 140
Removing Dictionaries..................................................................................................................................140
Setting Entities as Monitored or Unmonitored...........................................................................................140
Using Follow-up Indicators................................................................................................................................141
Configuring Follow-up Indicators................................................................................................................141
Uploading Follow-Up Indicators.................................................................................................................143
Clearing Follow-Up Indicators.................................................................................................................... 152
Managing Flags.............................................................................................................................................. 152
Managing Tags............................................................................................................................................... 156
Managing Notes............................................................................................................................................. 160
Setting Entities as Included or Excluded from Analysis............................................................................161
Working with Lists and Tables........................................................................................................................162
Sorting Lists and Tables by Column........................................................................................................ 162
Grouping Lists and Tables by Column.................................................................................................... 162
Ungrouping Lists or Tables.........................................................................................................................163
Viewing History of Deleted Entities...............................................................................................................163
Viewing Entity Properties................................................................................................................................. 164

DATADVANTAGE 6.3 USER GUIDE v

    CONTENTS

Opening the Management Console.............................................................................................................. 164

Advanced Searching.......................................................................................................................................... 164
Accessing Advanced Search Criteria.......................................................................................................164
Selecting the Data Source.......................................................................................................................... 165
Setting the Time Frame for a Search...................................................................................................... 165
Selecting a Search Mode............................................................................................................................ 165
Adding Grouping Criteria.............................................................................................................................165
Nesting Groups and Filters......................................................................................................................... 166
Adding Filters.................................................................................................................................................. 166
Defining Filter Attributes.............................................................................................................................. 167
Changing Operators...................................................................................................................................... 167
Changing the Type of an Existing Group or Filter................................................................................167
Including and Excluding Groups from the Filter....................................................................................167
Removing Groups or Filters........................................................................................................................ 168
Capping the Search Results....................................................................................................................... 168
Saving Defined Searches............................................................................................................................ 169
Loading Defined Searches..........................................................................................................................169
Resetting the Advanced Search Criteria.................................................................................................169
Chapter  6:  Work Area............................................................................................................................................ 170
Understanding the Work Area........................................................................................................................ 170
Viewing Permissions.......................................................................................................................................... 172
Viewing Permission Sources........................................................................................................................... 176
Viewing Permission Sources Causing Access Errors............................................................................... 177
Viewing Recommendations..............................................................................................................................178
Managing Permissions....................................................................................................................................... 178
Editing Permissions on Windows Directories and Files...................................................................... 178
Editing Permissions on Unix Directories and Files................................................................................181
Editing Permissions and Permission Levels in On-Premises SharePoint and SharePoint
Online..........................................................................................................................................................183
Editing Permissions and Permission Levels in Exchange....................................................................191
Viewing Directory Service Permissions...................................................................................................196
Managing Directories and Files......................................................................................................................198
Creating Groups with Permissions to Directories.................................................................................198
Adding Users or Groups to Directories and Files............................................................................... 207
Locating Mailbox Owners...........................................................................................................................208
Locating Directory Service Objects in the Users & Groups Pane...................................................209
Creating a Folder Automatically Recognized by DatAdvantage..................................................... 209
Managing Permission Flags.............................................................................................................................210
Adding Protection to a Directory or File.................................................................................................210
Removing Protection from Directories and Files................................................................................... 211
Removing Non-Inherited Permissions from Directories and Files....................................................212
Managing Users and Groups.......................................................................................................................... 212
Creating Groups............................................................................................................................................. 212
Deleting Groups..............................................................................................................................................217
Adding Users to Groups.............................................................................................................................. 218
Removing Users from Groups....................................................................................................................218

DATADVANTAGE 6.3 USER GUIDE vi

    CONTENTS

Restoring Relationships between Users and Groups..........................................................................218

Restoring Recommendations to Remove Users from Groups.......................................................... 218
Adding Group Membership to Users....................................................................................................... 219
Removing Group Membership from Users.............................................................................................219
Locating an Entity's Mailboxes...................................................................................................................219
Locating Domain Users and Groups.......................................................................................................220
Creating a User Account.................................................................................................................................220
Setting General User Properties.............................................................................................................. 222
Setting User Account Properties..............................................................................................................222
Defining Mailbox Settings...........................................................................................................................223
Setting Additional User Properties.......................................................................................................... 225
Setting Group Membership........................................................................................................................225
Editing a User Account............................................................................................................................... 226
Copying a User Account............................................................................................................................ 228
Creating Groups................................................................................................................................................. 229
Add Members of An Existing Group to Another Existing Group.......................................................... 234
Deleting User and Computer Accounts...................................................................................................... 235
Deleting Users and Computers through the Account Management Button.................................235
Deleting User and Computer Accounts through the Context Menu.............................................. 236
Resetting Passwords......................................................................................................................................... 237
Resetting Passwords through the Account Management Button....................................................237
Resetting Passwords through the Context Menu................................................................................239
Unlocking User Accounts................................................................................................................................240
Unlocking User Accounts through the Account Management Button............................................ 241
Unlocking User Accounts through the Context Menu....................................................................... 242
Disabling and Enabling Entities..................................................................................................................... 243
Disabling and Enabling Entities through the Account Management Button.................................243
Disabling and Enabling Entities through the Context Menu.............................................................245
Moving Entities................................................................................................................................................... 246
Moving Entities through the Account Management Button..............................................................246
Moving Entities through the Context Menu...........................................................................................247
About Synchronization..................................................................................................................................... 248
Synchronizing Recommendations............................................................................................................ 248
Synchronizing Ownership with DataPrivilege....................................................................................... 249
About Synchronization and DataPrivilege Base Folders...................................................................250
About the Errors Pane..................................................................................................................................... 250
Working with the Expected Access Errors Pane.................................................................................. 251
Fixing Directory Errors.................................................................................................................................252
Chapter  7:  Review Area.........................................................................................................................................261
Understanding the Review Area................................................................................................................... 262
Viewing Permission Status..............................................................................................................................263
Synchronizing Recommendations................................................................................................................. 263
Working with the Expected Access Errors Pane...................................................................................... 264
Viewing Edit History..........................................................................................................................................265
Chapter 8: Statistics View.................................................................................................................................... 267
Generating Statistics for Resources............................................................................................................. 267

DATADVANTAGE 6.3 USER GUIDE vii

    CONTENTS

Generating Resource Statistics for Activity By Date...........................................................................268

Generating Resource Statistics for Directory Utilization....................................................................268
Generating Resource Statistics for User Utilization............................................................................ 269
Generating Resource Statistics for Inactive Users.............................................................................. 270
Generating Resource Statistics for Least Active Users.......................................................................271
Generating Resource Statistics for Unmanaged Directories and Resources............................... 272
Generating Statistics for Directories.............................................................................................................273
Generating Directory Statistics for Activity By Date............................................................................273
Generating Directory Statistics for Subdirectories...............................................................................274
Generating Directory Statistics for User Access.................................................................................. 275
Generating Directory Statistics for Inactive Users............................................................................... 276
Generating Directory Statistics for Least Active Users.......................................................................277
Generating Directory Statistics for Inactive Directories......................................................................278
Generating Directory Statistics for Managed Folders.........................................................................278
Generating Statistics for Users and Groups...............................................................................................279
Generating User and Group Statistics for Activity By Date...............................................................279
Generating User and Group Statistics for Directory Utilization....................................................... 280
Generating User and Group Statistics for User Activity......................................................................281
Jumping to Other Views from the Statistics View....................................................................................282
About Ownership Management Through the Statistics View............................................................... 283
Setting Owners Automatically................................................................................................................... 283
Drill-down Operations for Statistics.............................................................................................................. 283
Chapter  9:  Logs View............................................................................................................................................287
Viewing Logs....................................................................................................................................................... 287
Adding and Removing Log Columns...........................................................................................................290
Log Columns........................................................................................................................................................ 291
Exporting Log Results.......................................................................................................................................299
Saving Log Results............................................................................................................................................299
Loading Log Results......................................................................................................................................... 299
Printing Logs....................................................................................................................................................... 299
Minimizing and Maximizing the Query Pane............................................................................................. 300
Jumping to Report 1.a.01................................................................................................................................. 300
Chapter  10:  Alerts View......................................................................................................................................... 301
Viewing Alerts.....................................................................................................................................................302
About Alert Analysis..........................................................................................................................................304
Analyzing Alerts..................................................................................................................................................305
Inappropriate Access........................................................................................................................................ 305
Chapter 11: Reports View..................................................................................................................................... 306
About the Reports List..................................................................................................................................... 306
Finding Reports in the Reports List.........................................................................................................306
Using the Reports List................................................................................................................................. 307
Accessing the DatAdvantage Operational Log.........................................................................................308
About Report Templates..................................................................................................................................308
Creating Report Templates........................................................................................................................ 309
Editing Report Templates............................................................................................................................ 315
Deleting Report Templates......................................................................................................................... 315

DATADVANTAGE 6.3 USER GUIDE viii

    CONTENTS

Working with Reports........................................................................................................................................ 315

Showing and Hiding the Report Search Pane.......................................................................................315
Switching Report Views............................................................................................................................... 315
Previewing Reports........................................................................................................................................316
Working with the Table View..................................................................................................................... 317
Exporting Reports................................................................................................................................................318
Subscribing to Reports......................................................................................................................................319
Delivery Parameters Tab............................................................................................................................ 320
Filter Configuration Tab...............................................................................................................................335
Scheduler Tab................................................................................................................................................ 335
Managing Your Subscriptions....................................................................................................................336

DATADVANTAGE 6.3 USER GUIDE ix

1 DATADVANTAGE

Varonis DatAdvantage is an analytic software-based solution for data usage management.

With Varonis DatAdvantage, organizations can see, understand and manage who is using data, to
control data access and enforce compliance with data usage policies to meet business needs.

Varonis DatAdvantage addresses the growing need for regulating data usage within organizations,
enabling full visibility and accountability of data usage across legal, financial, data security,
intellectual property and data privacy requirements.

Terminology
The following terms are used with regard to DatAdvantage:

Term Definition

ACE Access control entry. A list or table containing entries that specify
individual user or group rights to specific system objects, such as
a program, a process, or a file.

ACL Access control list. A list of permissions attached to an object.

The list specifies who or what is allowed to access the object
and what operations are allowed to be performed on the object.
In a typical ACL, each entry in the list specifies a subject and an
operation: for example, the entry (Alice, delete) on the ACL for file
XYZ gives Alice permission to delete file XYZ.

Admin account An account used by administrators. These usually have higher

privileges than regular users. Admin accounts are defined as
privileged accounts in the Management Console. Can be: End-
user, user, computer, service or executive accounts.

Asset The item displayed at the level of a volume in DatAdvantage:

• CIFS file servers - Either a volume or a monitored share
• SharePoint - Site collection
• Exchange - Mailbox store or public folders
• Directory services - Usually the domain

Base folder The root managed folder. A storage folder that is managed by
one or more data owners. Can only be defined by administrators.
Contains managed directories.

DATADVANTAGE 6.3 USER GUIDE 1

Chapter 1     DATADVANTAGE

Term Definition

Behavioral profile A collection of the standard metadata that Varonis gathers for all
users and their activities in the computing environment. When this
metadata is accumulated over the course of several months, user
behavior analysis (UBA) can identify atypical user behavior, which
may indicate malicious intent.

Computer An account used to represent a computer. Can be: Service or

Admin accounts.

Data A special layer of metadata that enables classifying unstructured

Classification data to assist organizations in protecting and governing their
Framework (DCF) data.

Delegated task A predefined set of permissions granted to a user or a group.

With these permissions, users or groups can perform specific
tasks, such as managing users, groups, computers, organizational
units, and other Active Directory objects. Control of Active
Directory objects can be delegated by using the Delegation of
Control Wizard in the Active Directory Users and Computers
snap-in.

Distinguished An object that has effectively different permissions than its parent
unique directory permissions. Both unique and distinguished unique objects are
or file marked with the standard unique icons.

Domain local A domain local group is a security or distribution group that can
group contain universal groups, global groups, other domain local
groups from its own domain, and accounts from any domain in
the forest. You can give domain local security groups rights and
permissions on resources that reside only in the same domain in
which the domain local group is located.

End-user account All accounts that are not service, computer or group accounts.
Can be: Admin, executive or user accounts.

Entity A "monitored" object in the IDU framework. This includes

directories, users, groups, OUs, domains and resources (file
servers).

Error Errors occur when IDU Analytics makes a recommendation to

remove access, or an administrator manually removes such
access, to data that is later retrieved by a user.

Executive An account used by a company executive. Executive accounts

account are defined as privileged accounts in the Management Console.
Can be: End-user, user or Admin accounts.

DATADVANTAGE 6.3 USER GUIDE 2

Chapter 1     DATADVANTAGE

Term Definition

Existing User/ Describes the users and groups that currently exist in the
Group Active Directory environment. This information comes from
existing entities in Active Directory, and represents actual group
membership and nested groups.

Global group A global group is a group that can be used in its own domain,
in member servers and in workstations of the domain, and in
trusting domains. In all those locations, you can give a global
group rights and permissions and the global group can become
a member of local groups. However, a global group can contain
user accounts that are only from its own domain.

IDU Server A database that provides Active Directory data and

recommendations from IDU Analytics. It also contains information
used by the DatAdvantage user interface (UI), including data
about Probes and file servers, and roles for users accessing
DatAdvantage.

Inherited Inherited permissions represent rights that are received from

permissions parent directories.

Owner A user who can view and manage all actions regarding the
application and the entities assigned to him or her.

Permission A rule that is associated with an object to regulate which users or

groups can gain access to the object and in what manner.

Permission level A set of permissions that can be granted to users or groups on an

entity such as a site, list, folder, item, or document. Used primarily
in SharePoint and Exchange.

POSIX ACLs ACLs that comply with the POSIX specifications for user and
software interfaces to an operating system.

Probe A server that monitors file servers for file events, and records the
data in a SQL database. The Probe also scans the file structure of
the target file server. One probe is capable of monitoring multiple
servers for events.

Protected A protected directory or file does not inherit any permissions from
directory or file its parent directory. The entity's icon is decorated with a lock.

DATADVANTAGE 6.3 USER GUIDE 3

Chapter 1     DATADVANTAGE

Term Definition

Recommended Describes the appearance of users and groups in the Active

User/Group Directory, based on recommendations derived from IDU Analytics
and manual administrator changes in the virtual environment.
These are only recommendations and do not directly reflect the
actual representation in the Active Directory.

Resource The representation of a file server in DatAdvantage. Views in

DatAdvantage are grouped by file server for easy retrieval of
information.

Service account An account used to automatically run processes (for example,

scheduled tasks, applications, and so on). Service accounts are
defined as privileged accounts in the Management Console. Can
be: Admin, computer or user accounts.

UBA See User Behavior Analysis.

User All accounts that are not computer or group accounts. Can be:
Admin, executive, service or end-user accounts.

User Behavior User Behavior Analysis enables:

Analysis • Identifying a specified sequence of events
• Correlating such events with additional data that is not
available in the events themselves
• Differentiating between regular and abnormal user behavior
This analysis is the foundation of a behavioral profile.

Unique directory Unique permissions are explicitly assigned to a specific directory

or file or file and are not inherited from permissions assigned to a
parent directory. In DatAdvantage, directories and files with these
permissions are represented by a user icon. This also applies to
a directory or file that has inherited some permissions from the
parent, but also has additional permissions assigned directly to it.

A file system object may have an ACL that is the same as that
of its parent, even though there is no conventional inheritance
relationship between the objects and the parent is marked as
unique. DatAdvantage marks such an object as unique-equal, to
indicate the identical ACLs. The other unique folders, which are
not unique-equal, are marked as distinguished unique.

DATADVANTAGE 6.3 USER GUIDE 4

Chapter 1     DATADVANTAGE

Term Definition

Universal group A universal group is a security or distribution group that contains

users, groups, and computers from any domain in its forest as
members. You can give universal security groups rights and
permissions on resources in any domain in the forest. Universal
groups are not supported for Windows 2000.

Target Audience
This user guide is intended for the following users:
• System Administrators managing the organization's Active Directory and file servers
• Help Desk operators managing users and permissions
• IT management
• Compliance and finance users - Users who need to apply access policies as well as obtain
forensic information on past activity
• Security analysts

Related Documentation
• Metadata Framework Filters
• Metadata Framework Installation Prerequisites and Requirements
• Metadata Framework Installation Guide
• Metadata Framework Release Notes
• Metadata Framework Reports

DATADVANTAGE 6.3 USER GUIDE 5

2 BASIC CONCEPTS

DatAdvantage comprises three components: The DatAdvantage Probe, DatAdvantage IDU

Analytics and the DatAdvantage Management UI.

File Server Probe

The File Server Probe is a non-intrusive probe that transparently collects file server events to
continuously track data usage and user directory structure.

By collecting actual data usage information, the File Server Probe provides coverage of what data
is currently available to users across an unlimited number of users and data, as well as what data
is actually being accessed and used, for full and accurate usage visibility.

File Server Event Data Collection

The File Server Probe is interoperable with standard Information Lifecycle Management and
Network Attached Storage environments, including NetApp and Microsoft file servers.

The File Server Probe is completely transparent to system operations. All data collection
processes are continuously monitored, and terminated immediately if performance degradation is
detected, ensuring completely non-intrusive probing.

ILM/NAS Environment File Server Probe

AIX Collects file server event information through the Varonis

driver.

EMC Celerra NAS Collects file server event information through Windows
auditing.

EMC Celerra CEPA Collects file server event information through the event
enabler framework.

EMC Isilon Collects file server event information through the event
enabler framework.

Exchange Collects file server event information through the Varonis

driver.

Hitachi NAS Collects file server event information through Windows

auditing.

DATADVANTAGE 6.3 USER GUIDE 6

Chapter 2     BASIC CONCEPTS

ILM/NAS Environment File Server Probe

HP-NAS Collects file server event information through the Varonis

driver.

MS File Server Collects file server event information through MS- IFS (file
server filter).

Network Appliance Collects file server event information through an FPolicy

API.

SharePoint Collects file server event information through the Varonis

driver.

Sun Solaris Collects file server event information through the Varonis
driver.

Unix/Linux Collects file server event information through the Varonis

driver.

File Server Structure Data Collection

In addition to collecting file access events, the file server Probe periodically collects information
about the directory structure and access control lists for each of the monitored file servers. This
part of the data collection happens based on a configurable schedule.

Handling of Events on the Same Entity

DatAdvantage event collection is designed for the greatest efficiency, with minimal impact on
performance. This goal of economical processing means DatAdvantage filters and aggregates
events to provide the most cost-effective means for organizations to gain insight into their data
usage.

Along with other methods designed to streamline data governance, the Probe's event collection
mechanism handles events as follows:

• Events gathered for the same entity made by the same user at the same time are filtered, so
that only one event is recorded in the system.
• Events are aggregated on a daily basis, so that the Event Count displays the number of times
the same event occurred (with the first and last times at which it occurred).

Directory Service Probe

The Directory Service Probe is a non-intrusive probe that transparently collects directory service
events to continuously track changes to the organization's user directories.

DATADVANTAGE 6.3 USER GUIDE 7

Chapter 2     BASIC CONCEPTS

The Directory Service Probe is completely transparent to system operations. All event collection
processes are continuously monitored, and terminated immediately if performance degradation is
detected, ensuring completely non-intrusive probing.

Directory Service probing includes support for the following events:

• Creation and deletion of all objects

• Changes in group membership
• Changes in directory service object properties, with regard to users and groups, for any
property

Note: Due to standard Microsoft behavior, Modify events may be recorded for all the fields
in a modified object, not only those that were changed. In addition, when a directory service
object is created, many Create and Modify events are recorded on the object's fields.

The Metadata Framework supports only auditing of directory service events. The DCF does not
support probing directory services.

The Directory Service Probe collects event information through a combination of the Microsoft
directory service audit feature combined with the DC's security log.

IDU Server
The IDU Server is a database that provides Active Directory data and recommendations from IDU
Analytics. It also contains information used by the DatAdvantage user interface (UI), including data
about Probes and file servers, and roles for users accessing DatAdvantage.

Active Directory Data Collection

IDU Analytics is interoperable with standard Active Directory and NT domain servers, collecting
user, group, and OU structure information to maintain an updated organizational tree and user
groups. This part of the data collection is based on a configurable schedule. See the Management
Console User Guide for information on schedule configuration.

DatAdvantage Data Aggregation

DatAdvantage event collection is designed for optimal efficiency, with minimal impact on
performance. This means DatAdvantage filters and aggregates events to provide the most
efficient means for organizations to gain insight into their data usage.

DatAdvantage data collection receives data from the monitored sources (such as EMC CEPA) as
they send them, dependent on the mechanism associated with the data source. This mechanism
is outside the control of DatAdvantage (e.g., EMC CEPA typically sends events some seconds after
they occur, or when its buffer is full).

While these events are stored in tables on the Varonis Probes as they are received, they are
not immediately visible in the user interface. They are made available after several database

DATADVANTAGE 6.3 USER GUIDE 8

Chapter 2     BASIC CONCEPTS

processing and transfer jobs are run (scheduled to run nightly by default). These jobs can be
triggered manually, if necessary.

In general, DatAdvantage collects and normalizes all events. Within a one-day period, all events of
a discrete type (Open, Create, Modify, etc.), generated by a discrete user, on a discrete object (file,
folder, email message, etc.) appear in the user interface. Duplicate events - those events occurring
on the same day and whose type, user, and object are identical - are displayed as increments
to a counter, "Event Count." All events are aggregated on a daily basis, so that the Event Count
displays the number of times the same event occurred (with the first and last times at which it
occurred).

The following are exceptions to this rule:

• Modify and Open events associated with temporary files are filtered immediately by the Probe.

Note: Temporary events are those associated with objects that are created and deleted
within a "count-time frame" (default is 5 minutes).

• Duplicate Open, Modify and Set Security (i.e., change permissions, or chmod) events occurring
within the same minute are omitted, so that only one event is recorded in the system. The one-
minute time frame is determined based on real time between seconds 0-59.
• A buffer of 10 events (the default) is maintained and checked against various event filtering
patterns. If no events in the buffer match an event filtering pattern, the buffer is emptied and
the events are sent to the Probe without being filtered.

Bidirectional Clustering
DatAdvantage performs bidirectional clustering on both data and users. It thereby creates
multilevel classifications to deliver a full understanding of data usage, automatically eliciting what
data belongs to whom and what data is actually needed to meet specific business objectives.

Using a robust set of profiling criteria, DatAdvantage continuously maps data-user relationships,
tracking changes in behavior over time so that administrators can dynamically match user
classification and access control with data usage compliance needs. DatAdvantage provides a set
of recommendations based on very accurate behavioral analysis, allowing access control to be
aligned with the business needs.

IDU Analytics
DatAdvantage IDU Analytics intelligently aggregates and clusters data events and directory
structure information to accurately profile and classify data usage. DatAdvantage automatically
maps data to users, and vice versa, making sense of data usage patterns to provide an
understanding of data owners and who should be accessing data while pinpointing potential data
usage risks.

DatAdvantage Management
DatAdvantage Management is a user interface (UI) for managing all aspects of data usage across
the enterprise, including risk assessment, permission management, auditing and reporting.

DATADVANTAGE 6.3 USER GUIDE 9

Chapter 2     BASIC CONCEPTS

Delivering complete usage visibility, DatAdvantage Management enables simple exploration of

data usage via interactive graphical views based on users, data, and their inter-relationships.

Risk Assessment
DatAdvantage maps actual data usage with users to automatically analyze and evaluate data risks,
highlighting potential mismatches between sensitive data and permissions and recommending
classification changes, based on true usage behavior. With DatAdvantage, administrators can
accurately profile data and users, creating accurate classifications to ensure access control and
usage compliance.

Permission Management
DatAdvantage enables centralized updating of permissions, streamlining access control
management and ensuring enforcement across an unlimited number of nested users, data
sensitivity levels and business processes.

Auditing and Reporting

DatAdvantage affords granular and customized views of data usage patterns, enabling auditing
and reporting based on any combination of users, data, time period, and business process criteria.
With DatAdvantage, system and administrators can zoom out to explore macro data usage
patterns to understand data usage trends, or hone into specific usage events to document and
capture specific details. DatAdvantage auditing information can easily be exported into tabular and
graphical formats, and may be automatically compiled into user-defined periodic reports.

Windows Auditing Caveats

The Windows operating system has evolved quite a bit over the past several versions. Unlike
early iterations, it now provides a number of advanced features that, in providing a rich user
experience, may occasionally cause DatAdvantage to return false positives - that is, DatAdvantage
may indicate a particular user has accessed a file even though the user believes he has not done
so.

Some examples of these advanced features, primarily available in Windows Vista and higher,
include:
• Content search
• Thumbnail views
• Preview panes

False positives occur because Windows Explorer must actually open a file's data stream and peek
inside to enable the advanced OS features mentioned above. Whether the user purposely opens
a file or Windows Explorer does it for him during a content search, the file is, in fact, accessed and
the event is recorded as such by DatAdvantage.

DATADVANTAGE 6.3 USER GUIDE 10

Chapter 2     BASIC CONCEPTS

Events and Usage Policies

DatAdvantage events enable the definition of thresholds and policies to continuously track data
usage compliance across business processes, generating alerts for user violations, by data
sensitivity levels.

DATADVANTAGE 6.3 USER GUIDE 11

Chapter 2     BASIC CONCEPTS

User Roles, Permissions and Security Model

DatAdvantage provides several basic predefined application roles:

• Enterprise Manager - Has full control over the DatAdvantage environment, including all required operations.
• Power User - Can edit and manipulate changes on the admin set, and after reviewing them, commit them to the actual environment.
• System Administrator - Maintain DatAdvantage through its configuration window. Cannot edit or commit changes on the actual data.
• User - The most basic role within DatAdvantage, a regular user can only view data.
• While all roles can view entities in DatAdvantage, the following operations can only be performed by certain roles:
• Configuration
• Edit/Commit

• All basic roles can generate reports.

In short:

Role/Operation View Objects Configuration Edit/Commit Reports View Classification

Results Window

Enterprise Manager + + + + +

Power User + - + + +

System Administrator + + - +

User + - - +

It is also possible for users to be members of several additional user roles at once, which provides fine-grained control over user access to various areas of
DatAdvantage. The following table lists the possible activities for each of the additional user roles:

DATADVANTAGE 6.3 USER GUIDE 12

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Alerts View user View and analyze alerts Same Same No Jump To options are
available

DCF and DW Configuration Open the DCF and DW Same Same

user Configuration window and
use it to configure the DCF
and DatAnswers.

DATADVANTAGE 6.3 USER GUIDE 13

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Classification Analysis for View the classification Same Same Only the Enterprise
Unix Files analysis of all sensitive files Manager can assign this
on a Unix file server from role to users.
the Work Area (in the File
Results Analysis window).

Important: This
role allows the user
to access the files
regardless of the
user's permissions.

Classification Results View • View the DCF Notes Same Same

user and Violation Count
columns in the
Directories pane.
• View the classification
context menu in the
Work Area.
• View classification-
related reports.
• View subscriptions and
templates with DCF
columns and filters.

DATADVANTAGE 6.3 USER GUIDE 14

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Commit/Edit user View and perform commit Same

operations in the Change
Management and Commit
window (e.g., commit,
discard, view and schedule
commit processes).

DatAlert Configuration user Configure real-time alerts Same Same

using DatAlert.

DatAnswers Elevated • Run searches as Same Same

Search user another user and view
results that the user can
view.
• View all results for
a searched term
without permission or
classification filtering.

DatAnswers user View secure search results Same Same

in the DatAnswers user
interface.

Data Transport Engine Enables viewing the Same Same

Reports user Category 13 reports

DATADVANTAGE 6.3 USER GUIDE 15

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Dictionaries View user View and edit the Same Same

Dictionaries window.

Directory Services Trends Enables viewing the Same Same

View user following reports in
Category 14: 14d, 14e, 14f,
14g, 14h, and 14i

Edit user • View and edit Same N/A

permissions and group
membership in the
sandbox.
• View changes and
commit processes in the
Change Management
and Commit window.
• Can discard changes.
• Cannot commit
changes.
• Can create groups,
but cannot perform
any other account
management activities.

DATADVANTAGE 6.3 USER GUIDE 16

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

File System Trends View Enables viewing the Same Same

user following reports in
Category 14: 14a, 14b, and
14c

DATADVANTAGE 6.3 USER GUIDE 17

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Full Review user Set the Override Object Same Same

Limitation option in the
Management Console.

Logs View user • View logs Same Same • Jump To options

• Run Sync latest events are available only to
screens to which the
user has permission
• Jump to Work Area is
only available if the user
has the Work Area user
role
• Jump to Log is only
available if the user has
the Log view-based user
role

Manage Ownership user • Access the Manage

Ownership window.
• Assign ownership and
custodianship without
having access to the
configuration screens
in the Management
Console.

DATADVANTAGE 6.3 USER GUIDE 18

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Reports View user • Create reports Same Same No Jump To options are
• Access the quick view available
• Subscribe to reports
• Manage subscriptions
• Set filters on the Filter
Configuration tab
• Set the schedule on the
Scheduler tab
• Configure Active
Directory properties
on the Active Directory
Properties tab

Review Area user • View the Review Area • View the Review Area • View the Review Area • Jump To options
• View permission status • View permission status • View permission status are available only to
options options options screens to which the
• View the Edit pane • View the Edit pane • View the Edit pane user has permission
• View editing history • View editing history • View editing history • Jump to Work Area is
only available if the user
• Manage users and • Manage users and
has the Work Area user
groups groups
role
• Manage directories and • Manage directories and
• Jump to Review Area is
files files
only available if the user
has the Review Area
user role

DATADVANTAGE 6.3 USER GUIDE 19

Chapter 2     BASIC CONCEPTS

User General Capabilities With the Configuration With the Commit/Edit User Comments
User

Statistics View user Generate statistics for: Generate statistics for: Generate statistics for: • Jump To options
• Resources • Resources • Resources are available only to
• Directories • Directories • Directories screens to which the
• Users • Users • Users user has permission
• Groups • Groups • Groups • Jump to Work Area is
only available if the user
Manage ownership Manage ownership has the Work Area user
role
• Jump to Statistics is
only available if the user
has the Statistics view-
based user role

Work Area user • View permissions and • Manage users and • Manage users and • Jump To options
recommendations groups groups are available only to
• Manage directories and • Manage directories and screens to which the
files files user has permission
• Jump to Work Area is
only available if the user
has the Work Area view-
based user role

Users with multiple roles are granted the highest permissions possible for that combination of roles. This may result in redundancy. For example, the Enterprise
Manager role includes all the permissions available to all other roles; it would therefore be redundant to assign other roles to a user who is an Enterprise
Manager.

• A user's role is validated each time the user moves to another screen in DatAdvantage, so that only the areas to which that user has permission are displayed.

DATADVANTAGE 6.3 USER GUIDE 20

Chapter 2     BASIC CONCEPTS

• The DatAdvantage authorization model limits the data to which a user has access. For example, a user might be limited to specific resources, OUs, directories,
and so forth.
• All roles are controlled by the security options that are set through the Management Console during configuration. These options function as follows:
• Enable global flags and tags in DatAdvantage - Select to determine whether global flags and tags can be used in DatAdvantage.
• Enable assigning global flags to a rule - If the Enable global flags and tags in DatAdvantage is selected, this option becomes available for selection.
Select to enable assigning global flags to a file based on DCF rule criteria. The global flags can be assigned to files only.
• Apply object limitation for users that own both directory objects and file system objects - Select to restrict users from owning both directory objects and file
system objects.
• Enable object limitation for owners and custodians - Select to limit owners and custodians to view only the object hierarchy each one owns.
• Do not provide activity information to group owners or domain custodians - Select this option to prevent group owners and domain custodians from
viewing activity information regarding group members. Regarding reports, this option affects only results displayed in the user interface and data-driven
subscriptions. It does not affect regular subscriptions. These must be deleted manually to prevent owners from viewing them.
• Data-driven subscriptions are not sent to group owners or custodians
• Activity-based reports (report categories 1 and 2) are not available to group owners or custodians
• Group owners who are also data owners have access to all relevant information as usual
• Limit DatAdvantage security configuration to Enterprise Managers only - Select this option to limit DatAdvantage security configuration to Enterprise
Manager and exclude users with the Configuration role.

DATADVANTAGE 6.3 USER GUIDE 21

Chapter 2     BASIC CONCEPTS

Abstract Entities
Abstract entities are users and groups whose security identifiers (SIDs) are not related to a
particular domain (similar to Microsoft's well-known SIDs and implicit groups).

IDU Analytics does not take abstract entities into consideration. No recommendations are
generated for their members or permissions.

Varonis identifies the following abstract groups:

• Nobody
• Everyone
• LOCAL
• CONSOLE_LOGON
• Creator Owner
• Creator Group
• Creator Owner Server
• Creator Group Server
• OWNER_RIGHTS
• Dialup
• Network
• Batch
• Interactive
• Service
• ANONYMOUS LOGON
• Proxy
• Enterprise Domain Controllers
• SELF
• Authenticated Users
• RESTRICTED
• Terminal Server Users
• IUSR
• SYSTEM
• Local Service
• Network Service
• WRITE_RESTRICTED
• NTLM Authentication
• SChannel Authentication
• Digest Authentication
• Other Organization
• Remote Interactive Logon
• This Organization
• Unknown User
• Unknown Group
• NT SERVICE\TrustedInstaller

DATADVANTAGE 6.3 USER GUIDE 22

Chapter 2     BASIC CONCEPTS

• Other
• Default
• This Organization Certificate

Ownership and Custodianship

Ownership can be assigned to any entity in DatAdvantage. Once a user is assigned to be an
owner, that user can view and manage all actions regarding the application and the entities
assigned to him or her.

Except for a user defined as a custodian, any user in the Active Directory from any domain may be
an owner.

The following entities can be managed, regardless of their presentation: (that is, as tree nodes, pie
chart slices, grid rows, and so on):
• Group
• Directory
• Mailbox - On Exchange or Exchange Online Servers, owners can only be assigned at the
mailbox level within the mailbox store. For example, an owner cannot be assigned to a specific
calendar.

When an owner is defined for a file system entity, the entity becomes the base folder. A base
folder cannot have a parent folder or subdirectories that are themselves base or managed folders.

Custodians are mainly responsible for the IT aspects of resource and domain management. They
may not act concurrently as owners over the objects residing in their assigned entities. Therefore,
access to the DatAdvantage UI by custodians and owners may be limited to their managed objects
only, allowing full segregation of data for security purposes.

In addition, custodians are not synchronized with DataPrivilege.

Groups can be defined as resource custodians to grant all members in the group custodian
privileges on the file server. If a member in the group is a folder owner on the resource, the
member can also be defined as a custodian. In this case, the member is limited to custodian
privileges only on the file server.

It is important to note that a custodian cannot be set on a resource or domain in which he already
owns a folder or group, and vice versa - a custodian cannot become an owner on a folder residing
on one of the resources under his custodianship.

A group - and not just a user - can also have ownership of both domains and file servers.
Assigning ownership to a group reduces the logistics of managing ownership changes.

Defining a group to ownership grants all users directly in the group custodian privileges on the
file server. The users directly in the group can see the file servers/domain in the Work area and
Reports according to resource custodian limitations.

DATADVANTAGE 6.3 USER GUIDE 23

Chapter 2     BASIC CONCEPTS

Users that are folder owners to a specific resource can also be members of the custodian group
– they will be treated as resource custodians and not folder owners in regards to ownership
limitations.

Note the following:

• Both security and distribution groups can be defined as group custodians.
• Abstract, global access and virtual groups cannot be defined as owners.

Custodians and Owners vs. Application Roles

While custodians and owners are limited in the objects they can view, application roles define
the user's capabilities on the viewable objects. This means that the role does not affect the
custodian's or owner's visibility, and the custodian or owner does not set any limitations or have
any to perform the allowed operations in the UI.

Keep the following in mind:

• In order to access the UI, a user must be defined in an application role. This implies that
even if this user is defined as an owner or custodian, he will not be able to operate the UI if

DATADVANTAGE 6.3 USER GUIDE 24

Chapter 2     BASIC CONCEPTS

he is not defined in an allowed role. However, owners who have no application role are still
synchronized to DataPrivilege and they can receive data-driven reports.
• A user that is not listed as owner or custodian has no visibility limitations in DatAdvantage.
These users see all objects, regardless of their role. For example, an enterprise manager who
is an owner sees less than a simple user who is not an owner.

Owner Custodian Non-Owner/

Custodian

Enterprise Manager • Editing, commit, • Editing, commit, • Editing, commit,

reporting and reporting and reporting and
configuration for configuration configuration for
the managed for owned all objects
objects only resources and • Full visibility
• Limited visibility domains and
their nested
objects
• Limited visibility

Power User • Editing, commit • Editing, commit • Editing, commit

and reporting and reporting and reporting for
for managed for owned all objects
objects only resources and • Full visibility
• Limited visibility domains and
their nested
objects
• Limited visibility

System Admin • Reporting for • Reporting for • Reporting for

only managed configuration, all objects and
objects and owned configuration
configuration resources and • Full visibility
• Limited visibility domains and
their nested
objects
• Limited visibility

User Limited visibility Limited visibility Full visibility

UI Visibility Limitations for Owners and Custodians

By default, owners and custodians are limited in their ability to view objects in the UI as follows:

• Directory and User & Groups panes:

• An owner or custodian can only change entities (edit, commit) and perform UI tasks (double-
click, jump-to) on the objects he owns.
• An owner or custodian can only view the Classification Results window for the objects he
owns.

DATADVANTAGE 6.3 USER GUIDE 25

Chapter 2     BASIC CONCEPTS

• However, other non-managed objects may be visible in some situations, in view-only mode.
For example, an owner can see nested groups under one of his managed groups.
• If the owner manages folders, he can see all users and groups related to his folders. If the
owner manages groups, he can see all the folders related to his groups.

Directory Pane Users and Groups Pane

Resource custodian • Full visibility of all nested Full visibility of all objects.
folders
Double-click to view
• Full control (editing,
permissions on owned
commit, double-click,
resources.
jump-to) on all nested
folders

Folder owner • Full visibility of all nested Full visibility of all objects.
folders
Double-click to view
• Full control (editing,
permissions on owned
commit, double-click,
folders.
jump-to) on all nested
folders

Domain custodian Full visibility of all objects • Full visibility of all nested
groups and users
• Full control (editing,
commit, double-click,
jump-to) on all nested
objects

Group owner Full visibility of all objects • Full visibility of all nested
groups and users
• Full control (editing,
commit, double-click,
jump-to) only on the
owned group.
• Double-click unowned
users or groups to view
permissions on owned
folders.

• Review Area and Errors pane

• The Review Area is not populated automatically for owners and custodians.
• The Errors pane is filtered to present only errors on or by managed objects.
• Selection drop-down lists (resources and domains) and pickers (users/groups or folders)
• The selectors show only the relevant results for the owner or custodian. If the user owns
only one folder on one resource, only this resource is visible in the resource selector. The
same is true for domains.

DATADVANTAGE 6.3 USER GUIDE 26

Chapter 2     BASIC CONCEPTS

• Pickers are not limited by ownership. This means an owner can add members and
permissions to his managed objects from any of the available views.
• Statistics View
• Statistics are not populated automatically for owners and custodians. In the Statistics view,
graphs are only loaded if the user double-clicks one of his owned objects.
• Owners cannot right-click in the statistics graphs. This means owners cannot jump to other
views or manage ownership options from within the displayed graphs, but it does allow drill-
down within the graph itself (for sub-folders, or more granular pie-chart slices).
• Log View
• The log automatically implements the data-driven mechanism, which limits the viewable
objects according to the users' management status.
• The data-driven mechanism limits log output even if the user sets filters that encompass a
larger area than he is allowed to view.

Custodians, Owners and Reports

For both custodians and owners, the reports they may access in the UI are limited by the data-
driven mechanism. This means owners and custodians cannot create subscriptions that are not
data-driven.

Multiple Owners
Some users are set as owners of more than one type of object. For example:

• A user is both a folder owner and group owner

• A user is both a resource custodian and a group owner
• A user is both a resource custodian and a domain custodian
• A user is both a folder owner and a domain custodian

DATADVANTAGE 6.3 USER GUIDE 27

Chapter 2     BASIC CONCEPTS

For these users, ownership limitations are treated as Or conditions. This means that in any of the
cases above, the user has full visibility for all the objects in the system, but he is limited in the
actions permitted to him.

Directory Pane Users & Groups Pane

Folder owner and group • Full visibility for all folders • Full visibility for all
owner on all resources objects
• Control (editing, commit, • Control (editing, commit,
double-click, jump-to) double-click, jump-to)
only on owned folder and only on owned group
all nested folders

Resource custodian and • Full visibility for all folders • Full visibility to all objects
group owner on all resources • Control (editing, commit,
• Control (editing, commit, double-click, jump-to)
double-click, jump-to) only on owned group
only on owned resource
and all nested folders

Resource custodian and • Full visibility on all folders • Full visibility on all objects
domain custodian on all resources • Control (editing, commit,
• Control (editing, commit, double-click, jump-to)
double-click, jump-to) only on groups and users
only on owned resource from the owned domain
and all nested folders

Folder owner and domain • Full visibility on all folders • Full visibility to all objects
custodian on all resources • Control (editing, commit,
• Control (editing, commit, double-click, jump-to)
double-click, jump-to) only on groups and users
only on owned folder and from the owned domain
all nested folders

Ownership Inheritance
The following table summarizes inheritance with regard to ownership and custodianship:

Inheritance Description

Resource custodian Yes All sub-folders are viewable

and manageable.

Folder owner Yes All sub-folders are viewable

and manageable.

DATADVANTAGE 6.3 USER GUIDE 28

Chapter 2     BASIC CONCEPTS

Inheritance Description

Domain custodian Yes All groups and users in the

domain are viewable and
manageable,

Group owner No All users in the groups, as

well as nested groups are
viewable. Only this group is
manageable.

Directory Service Account Management

Directory service account management enables system administrators working with DatAdvantage
to perform basic IT routines, such as user creation, unlocking users, resetting passwords and
disabling users, through DatAdvantage without having to use Active Directory or an external tool.

The following major directory service account management functions are available:

• User and account management - This includes the following administrative tasks:
• Creating an entity
• Deleting an entity
• Resetting an entity password
• Unlocking an entity
• Enabling and disabling an entity
• Moving an entity
• Copying an entity
• Editing an entity
• Resetting user passwords
• Unlocking users
• Enabling or disabling users
• User and group filtering - This includes filtering accounts that require attention, such as locked
users, expired passwords, etc.
• Capturing events - Capture user administration events such as locking and unlocking users;
resetting passwords; and enabling or disabling users.
• Viewing and sorting directory service objects and properties - DatAdvantage provides
convenient viewing and sorting of Active Directory properties within user and group panes.

These activities cannot be performed on unmonitored, built-in, and abstract accounts.

Note: Account management activities are not supported for SharePoint Online, Exchange
Online and OneDrive.

DATADVANTAGE 6.3 USER GUIDE 29

Chapter 2     BASIC CONCEPTS

Share Visibility in DatAdvantage

DatAdvantage provides full visibility of effective permissions on the file system (CIFS), based on
both NTFS and share permissions. Such visibility is based on a logical folder view, in which folders
are presented from the perspective of the shares instead of the physical structure of the real folder
tree. When a resource is expanded, its shares are displayed as the first-level folders instead of its
volumes.

For non-CIFS resources (such as SharePoint, Unix and Exchange), the folder structure is displayed
as usual in the logical view. This means that even if the view state is switched to Logical, the real
folder tree is presented, just as it is in the physical view.

For mixed-mode resources (which include both CIFS and non-CIFS folders), the tree structure
presents all shares as well as the non-CIFS mount points at the first level.

Synchronization of Ownership with DataPrivilege

Ownership of DataPrivilege-supported folders and groups is synchronized between DatAdvantage
and DataPrivilege automatically, on an ongoing basis. If an owner is added to an entity in
DatAdvantage, a shared or DFS path referencing the entity is added to DataPrivilege with the
same owner, and vice versa. (DataPrivilege does not support custodians.)

The following conditions apply:

• The file server or domain in which the entity resides is set to include DataPrivilege in the
Management Console.
• The folder resides under a CIFS share or is a SharePoint entity (site collection, site or
SharePoint folder).
• For folders - The folder is defined as a base folder in DataPrivilege (conversely, only folders
defined as managed in DatAdvantage can be synchronized as base folders in DataPrivilege).

DATADVANTAGE 6.3 USER GUIDE 30

Chapter 2     BASIC CONCEPTS

Accessibility for Color Blind Users

DatAdvantage includes a mode of operation for people who suffer from the Deuteranomaly form
of color blindness. This operating mode enables users to distinguish between red, green, yellow,
and gray objects that are displayed in the user interface.

The following improvements in color blind accessibility are available:

• In the Directories pane, inaccessible objects are indicated by a yellow folder icon and the text
of accessible objects is displayed in bold gray.
• In the Directories pane, accessible objects are indicated by a yellow folder icon inside a green
square.
• In the Users and Groups Pane, the icons of disabled users and computer are lightened to
distinguish them from enabled users and groups.

For instructions on activating this feature, see Setting User Interface Display Options.

DATADVANTAGE 6.3 USER GUIDE 31

3 WORKFLOWS

This section describes recommended workflows. For complete instructions on carrying out the
activities described in the workflows, see the relevant sections.

Reviewing and Applying Analysis Recommendations

DatAdvantage enables you to modify the organization's user and group structure and permissions,
to remove unnecessary permissions and prevent access to corporate content by users who do not
need it.

By applying the described workflows on a daily basis for 30-45 minutes, you can eliminate risk and
simplify the domain structure, while maintaining user productivity.

Reviewing Known Data By Folder

Start the review process by focusing on areas of the file server with which you are familiar,
especially more sensitive areas. This might include Finance, Legal, Human Resources, Marketing,
Sales, and so on.

1. In the Work Area, select a directory or file with known data.

2. In the Directories pane, double-click the relevant directory or file to view the users and groups
that have access permissions for it.
3. Arrange the Recommended Users and Groups list by status to view recommended changes
at the top of the list.
4. In the Recommended Users and Groups list, double-click the relevant groups or users to view
the changes recommended across the file server. The explanation next to the directory or file
indicates the type of change - removing the group from the entity's Access Control List (ACL),
removing a user from the group, and so on.
5. Use the flags to categorize the users and groups into the following sets: Reviewed, Changed,
Requires Further Review, and Do Not Change.

Keep in mind that DatAdvantage does not provide recommendations for the Everyone and
Domain Users groups. There are also several groups, such as Domain Admin, whose users
normally do not use all the permissions provided by the group; as a result, recommendations will
be made to remove them from that group.

It is also important to remember that DatAdvantage IDU Analytics recommendations are based
on access. If a directory or file was not accessed at all, the analysis will recommend that all
permissions be removed from it.

Reviewing Known Groups

You might want to start the process by identifying groups in your Active Directory structure with
which you are familiar, and review the directory and file permissions for these groups.

Prior to reviewing specific groups, it is highly recommended to review the predefined Windows
Everyone and Domain Users groups. These groups are often granted extensive permissions; since

DATADVANTAGE 6.3 USER GUIDE 32

Chapter 3     WORKFLOWS

every domain user belongs to these groups by default, you may find that certain areas of the file
server are accessible to all users, with no controls. If you do find that either of these groups is
granted permissions, you should probably start the change process by modifying the permissions
to a more specific group (except for areas that are meant to be publicly accessible).

The group review procedure is similar to that of directories and files:

1. In the Existing Users pane (hidden by default), double-click the relevant group to view the
current permissions for the group.
2. In the Recommended Users pane, double-click the group to view recommendations for it
on the selected resource. If you are monitoring several resources, repeat the process for the
other resources after you have completed it for the current resource. The explanation next to
the directory or file indicates the type of change - removing the group from the entity's ACL,
removing a user from the group, the group from which the permissions were inherited, and so
on.
3. Sort the group list by status to view specific users with recommendations.
4. Double-click the groups or users to view the recommended changes across the file server.
5. Use the flags to categorize the users and groups into the following: Reviewed, Changed,
Requires Further Review, and Do Not Change.

Reviewing Similar Data

You can use the groups you identified in the previous steps to discover additional changes that
may be applied to the Active Directory.

For each group:

1. Identify all the directories and files the group members can access in addition to the ones you
previously reviewed.
2. Use these directories and files for further review.

For group members with recommendations:

• Identify other groups of which these users are members and see if there are any
recommendations to modify these other groups (for example, remove the user from the group
or change directory or file permissions for that group as well).

Validating and Applying Changes

Once the analysis is completed, the Work Area displays the recommended changes.

Note: You can also use the IDU Analytics and Editing reports to review recommended
changes.

In addition to the recommended changes, you can provide manual input by editing group
membership and permissions on directories and files.

In order to apply the recommendations and manual edits to the production environment, you must
perform the commit process. Until you do so, the recommendation and manual edits remain in the
virtual environment.

DATADVANTAGE 6.3 USER GUIDE 33

Chapter 3     WORKFLOWS

After completing the review, there are several ways to validate the changes you have made in
DatAdvantage before they are applied to your production environment.

Begin by reviewing the errors listed in the Review Area to identify changes that may cause access
denials. This review validates the changes based on past usage patterns. Keep in mind that errors
are calculated in the background in real time, so the administrator can continue working.

Note: It still might take some time to complete the calculations (up to few minutes).
Therefore, the effect of a change may not be evident for several minutes.

For changes that may impact sensitive groups, directories or files, you can delay applying the
changes to the production environment for 1-2 weeks (this is especially true during the first few
months after deployment, when IDU Analytics is still adapting to the users' behavior patterns). This
enables DatAdvantage to collect additional events and make more precise calculations of errors.
Remember - a user may not access a particular directory or file for a long time; the user may be
ill or on vacation, or the data may be needed on only an occasional basis (such as payroll data
or quarterly financial data). This results in a recommendation to remove the user; however, the
recommendation may change when more data is collected.

In rare cases, additional validation can be obtained by discussing the changes with the users
themselves or with the group managers. Explain the changes you are about to make and the
reasoning behind them, and verify that there is no business reason to contradict the behavior
pattern established by DatAdvantage.

Note: When you apply the changes, be sure you are aware of reporting relationships, and
be careful of making changes to group managers and executives. A manager may require
permissions to data he or she does not access on a regular basis (and it was therefore
recommended to deny the manager access to the data), but the manager's reports do access
it regularly.

Identifying Unusual Behavior

A different workflow scenario may be used for file servers, to identify unusual behavior and
understand the cause. Such behavior is normally the result of legitimate usage (such as an
application accessing a large amount of data, a user backing up information to the file server, etc.).
You may still want to be aware of this usage for planning purposes, and perhaps to make changes
to applications accessing the file server. In rare cases, the anomaly in usage can be attributed to
illegitimate behavior, such as a user hoarding data prior to leaving your organization.
Use the following workflow to review usage patterns and identify anomalies:

1. Begin by using the Alerts view to examine unusual user utilization.

2. Review the Activity History chart for the file server over a period of at least four weeks. Try to
identify any usage patterns (weekdays vs. weekends, middle vs. end of the month, and so on).

DATADVANTAGE 6.3 USER GUIDE 34

Chapter 3     WORKFLOWS

3. If you identify days that do not fit the pattern, focus on these days. Use the file server's
Directory and User Activity charts to see if a single user is responsible for the activity, and
whether it is focused on a specific area of the file server.
4. Even if no unusual activity is detected in the Activity History chart, review the other charts to
determine whether a user, directory or file is generating a high level of activity.
5. After you have determined the source, use the User and Directory Statistics charts to drill
down and better understand the nature of the abnormal behavior. For example, check the
user's activity to see whether there are usage patterns that may explain the behavior, check
the user's activity relative to other group members, and so on).
6. If necessary, use the logs to drill down further and review the actual events, to determine the
exact nature of the activity. For example, a user creating a large number of files is probably
backing up data to the file server, whereas a user opening a large number of files across
many directories may be gathering information for some reason.

Using DatAdvantage to Move from Share to NTFS

Permissions
Microsoft recommends using real NTFS permissions and not share permissions on the file system.
However, in the past, many businesses implemented share permissions, even though they are
much less secure than file system NTFS permissions.

With Varonis DatAdvantage, the organization can easily view share permissions as such and edit
them as NTFS permissions. DatAdvantage has a powerful engine that sandboxes permissions
changes before implementing them to the real environment. This engine can be used for
identifying abnormalities during the transition from share permissions to NTFS permissions.

The work flow is quite simple:

1. Identify the shares. Shares have a unique icon in the DatAdvantage Work Area, so the
administrator can quickly identify them. In addition, dedicated DatAdvantage reports (4h and
4j) print out the names of all existing shares and their permissions.
2. Edit the directory permissions (NTFS) on the shares using the built-in DatAdvantage editor.
DatAdvantage mimics the Microsoft permissions editing dialog box. However, the permissions
defined here are not implemented directly in the file system. Instead, they are used to
simulate a fictive environment (the sandbox).
3. Check permissions against real access (sandboxing). Here the true power of DatAdvantage
can be leveraged. After editing is complete, the system indicates the need for
synchronization. Synchronization calculates real audited access against the new permissions
and alerts, in places where the new permissions are blocking access. These errors can be
viewed in the Review Area or in the Errors pane in the Work Area (a report is also available).
4. Fine-tune and commit. After the sandbox stage is complete, permissions can be tweaked as
necessary to repair issues (errors) that may arise. Finally, the administrator can commit the
changes to the real environment at a granularity of the selected (edited) folders.

DATADVANTAGE 6.3 USER GUIDE 35

Chapter 3     WORKFLOWS

Reviewing Activities
DatAdvantage makes it easy to discover usage patterns across the enterprise, without resorting
to the cumbersome work of digging through activity logs. Instead, use the DatAdvantage Statistics
view to identify trends in usage and access. If you require more information at that point, the
Statistics view provides simple drill-down access to the precise location you need in the logs.

Using DatAdvantage to Understand Security Changes

File system events, specifically Set Security events, provide quite a bit of information about
themselves:
• When the change occurred
• Who made the change
• Which object (i.e., which folder) was affected

However, there is no information about what actually happened. There is no way to tell just by
examining the event itself whether permissions were added or removed, or the file was opened, or
something else happened.

DatAdvantage uses the FileWalk job to examine the file system at predefined intervals and identify
events that occurred on it. Each time the FileWalk job runs, it captures the file system's permission
structure and compares the results to the previous capture. The differences between the two
captures are stored as the history of differences and can be viewed in the Logs view.

This comparison provides information about:

• What actually happened
• When the change occurred (i.e., between the two job runs)
• Which object was affected

However, it does not know who made the change.

Problem
The events themselves and the history of differences provide several pieces of the puzzle, but
neither provides the entire picture. How, then, can you understand exactly what happened?

Solution
In either the Log View or the Report View (report 1a), you can view both audit events and the
history of differences. Use the two sets of information together to establish a full understanding of
the event.

DATADVANTAGE 6.3 USER GUIDE 36

Chapter 3     WORKFLOWS

Example

In the figure above, notice rows 2 and 3, which are marked in red.

Row 2 describes an event. You can see the change was made at 5:23 by a user named
DPplatinum-admin. However, since the event was pulled from the operating system, it does not
include any sort of description.

On the other hand, row 3 is drawn from the history of differences. Notice the following:

• The Time column indicates the first time the permissions in question have appeared (or the last
time, if the event is the removal of permissions).
• We do not know exactly who made the change - the Operation By column merely says
FileWalk.
• There is a full description of the change - Read permissions have been added to the directory.

The problem would be completely solved if the two sets of information could be correlated.
Unfortunately, it is impossible to do so. While correlation is not difficult for a single change,
consider what might happen if two users made changes to the same folder. It is not possible to
associate one of the changes with one particular user. If there are three or more users making
changes that override other changes, the problem increases substantially. Moreover, if a change
was made and then rolled back between two runs of the FileWalk job, the history of differences
would not recognize a change at all.

DATADVANTAGE 6.3 USER GUIDE 37

4 GETTING STARTED

Starting DatAdvantage
To start DatAdvantage:

• From the default Windows Start menu, select Programs > Varonis > DatAdvantage;
-OR-

• On the desktop, double-click the DatAdvantage icon.

The DatAdvantage splash screen is displayed.

DatAdvantage displays the Work Area.

Note: To verify your version of DatAdvantage, select Help > About.

DatAdvantage's Graphical User Interface

The DatAdvantage user interface comprises several elements:
• The menu bar at the top of the screen
• View selection icons
• Several entity panes on the left, in an accordion-style panel
• Existing Users and Groups list
• Error list
In some views, these panes are collapsible and are hidden by default.

DATADVANTAGE 6.3 USER GUIDE 38

Chapter 4     GETTING STARTED

• A contextual display, based on the current active entity

• Recommended Users and Groups list (collapsible)
• Current active entity indicator, at the top right of the window
• A status bar at the bottom of the window, which displays operation status, last pulled event
date and time, software messages and errors. This bar also allows some control over error
recalculation and "pull on demand."

Note: The DatAdvantage UI only supports text at a zoom level of 100%.

DATADVANTAGE 6.3 USER GUIDE 39

Chapter 4     GETTING STARTED

DATADVANTAGE 6.3 USER GUIDE 40

Chapter 4     GETTING STARTED

DatAdvantage Views
DatAdvantage includes several views that enable you to examine and modify the information it
collects:
• The Work Area is DatAdvantage's main working environment. It provides full visibility of
Active Directory, the directory structure and permissions in the organization. This view reflects
the organizational changes recommended by DatAdvantage IDU Analytics, and enables
administrators to edit users, groups and permissions through smart, user-friendly editors.
The Work Area is divided into the following panes:
• Directories - Displayed in the center pane. Use the Directories pane to view the rights
to directories and files in either an actual or recommended user or group environment.
There are some differences in the information displayed in this pane for Unix and Windows
installations.
• Recommended Users & Groups - Represented by the pane on the right side of the window.
The Recommended Users & Groups list displays DatAdvantage's recommendations
for group membership and directory or file access rights. There are differences in the
options available in this pane for Unix and Windows installations. For Unix, three different
permissions are presented - those of the owner, those of its group, and those of all the rest.
• Existing Users & Groups - Represented by a pane on the left side of the window (the pane
is hidden by default). This pane reflects the actual entities in the environment. There are
differences in the options available in this pane for Unix and Windows installations.

Together, these panes provide an integrated view of current user and group rights to files and
directories. In addition, they display DatAdvantage suggestions and manual changes made by
the administrator for file rights and group membership.
• The Review Area enables administrators to analyze the virtual environment created by
DatAdvantage IDU Analytics, along with the administrator's changes, prior to committing these
changes to the real environment.
• The Statistics view provides detailed visualizations and activity graphs for user-defined
timeframes, file servers, directories, users and user groups.
• The Logs view enables you to browse and search the event logs from all the monitored
resources for a specific day, down to the level of a single event, to provide full coverage of the
system.
• The Reports view enables you to define reports to be sent periodically by email. You can also
view reports online, and store snapshots of important reports.
• The Alerts view notifies you if a user's behavior is unusual. When DatAdvantage analyzes
usage patterns for the past 30 days, it generates alerts for users whose patterns do not suit the
norm.
• Print - The Print button enables you to print data from the Statistics and Alerts views.
• Print Preview - The Print Preview button enables you to view the Statistics or Alerts page you
are going to print.

DATADVANTAGE 6.3 USER GUIDE 41

Chapter 4     GETTING STARTED

Menus and Toolbar

DatAdvantage includes the following menus:

• File - Includes the following commands:

• Exit - Select to exit DatAdvantage.
• Tabs - Enables you to select a view in which to work.
• Tools - Enables administrators to perform a number of activities. The options available on this
menu change according to the selected view.

Menu Options Description

Select IDU Server Enables you to manage IDUs.

DCF and DW • Enables launching the DCF and DW Configuration window,

to define classification metadata. (This option is only
available if the Data Classification Framework is installed.)
• Enables launching the DCF and DW Monitor, to monitor the
status of the DCF and DatAnswers services, as well as the
status of the classification scan.

Dictionaries Enables defining dictionaries of terms for use in various rules.

Follow up Enables you to configure follow-up indicators as needed. (This

option is not available if DatAnswers is installed without a valid
DatAdvantage license.)

Upload Follow Up Enables uploading a CSV file containing all the data required to
Indicators define flags and tags in a bulk operation.

Manage Ownership Enables you to manage ownership of DatAdvantage entities.

(This option is not available if DatAnswers is installed without a
valid DatAdvantage license.)

Management Console Enables launching the Management Console directly from the
DatAdvantage UI.

Archive Enables you to archive events and statistics (This option is not
available if DatAnswers is installed without a valid DatAdvantage
license.)

DATADVANTAGE 6.3 USER GUIDE 42

Chapter 4     GETTING STARTED

Menu Options Description

Change Management Enables you to manage changes and commit processes.

(Commit)

DatAlert • Enables you to define alerts on highly sensitive events. The

alerts are generated and sent in real-time (or nearly so). (This
option is not available if DatAnswers is installed without a
valid DatAdvantage license.)
• Enables launching the DatAlert Web Interface.

Automation Engine Enables using the Automation Engine utilities, a suite of tools
that provide the means to remediate security issues in the
organization's file system:
• Broken Inheritance Repair Utility
• Global Access Groups Utility

Data Transport Engine Enables you to define rules to transport data securely from one
location to another. (This option is not available if DatAnswers is
installed without a valid DatAdvantage license.)

DatAdvantage Operational Enables jumping directly to report 8.b.01, the DatAdvantage

Log Operational Log. (This option is not available if DatAnswers is
installed without a valid DatAdvantage license.)

Options Enables you to define various display options. (This option is not
available if DatAnswers is installed without a valid DatAdvantage
license.)

Reset Stored Credentials Enables you to delete the credentials stored for this session
during commit or DCF analysis. (This option is not available if
DatAnswers is installed without a valid DatAdvantage license.)

• Help - Provides access to the following:

• Support Assistant - When you need to contact Varonis Support, select to start a utility
that gathers information about your Varonis products and sends it to Varonis Support for
analysis.
• Contents and Index - Select to open DatAdvantage's online help.

DATADVANTAGE 6.3 USER GUIDE 43

Chapter 4     GETTING STARTED

• Legend - Select to display a legend of DatAdvantage's icons and decorators.

• About - Select to view version, build and copyright information about DatAdvantage. The
License tab describes the user roles that have been purchased.

The tool bar includes the following elements:

• Buttons to toggle each of the views.
• Current Active Entity drop-down list - Located by default at the top right of the window, this
drop-down indicates the entity you are currently working with and is a useful reference when
you need to switch frequently between views.

DatAdvantage Status Bar

The status bar is displayed at the bottom of the screen. It provides information regarding the status
of the current operation, software messages and errors.

When you select a resource, reload a list, or perform any other operation (such as viewing
statistics or logs), the left side of the status bar displays the progress of the operation. When the
operation is complete, the displayed status is Finished.

If software messages (such as warnings or errors) have been generated, the status bar displays
the number of messages that are available for viewing. Click New Msg once to read the messages.

Displaying the DatAdvantage Legend

DatAdvantage makes extensive use of icons and decorators to provide information about users,
groups, directories, files, and other entities in the system.

To display the legend:

1. Select Help > Legend. The legend is displayed.

2. Select the relevant tab:

• Objects - Lists the icons and decorators that describe directory objects.

DATADVANTAGE 6.3 USER GUIDE 44

Chapter 4     GETTING STARTED

• Status - Lists the icons and decorators that describe the status of entities in the system.

• Accounts - Lists the icons and decorators that describe various types of accounts. This
includes decorators for accounts that were not active in the system at all during the
analysis period.

DATADVANTAGE 6.3 USER GUIDE 45

Chapter 4     GETTING STARTED

• Follow Up - Lists the default flags and tags that are configured in the system.

• Directory Services - Lists the icons and decorators that describe directory service objects.

DATADVANTAGE 6.3 USER GUIDE 46

Chapter 4     GETTING STARTED

• Exchange - Lists icons used by Microsoft Exchange and Microsoft Exchange Online.

Keyboard Shortcuts
The following sections describe the keyboard shortcuts that are available in the DatAdvantage
user interface.

Standard Windows Navigation

In addition to the keyboard shortcuts specified below, standard Windows navigation is available:
• Tab - Move from one item to another on the screen.
• Space bar - Select item, open item
• Enter - Select item, open item
• Shift+Up arrow, Shift+Down arrow - Select several adjacent items in a multi-selection list
• Esc - Close item

DATADVANTAGE 6.3 USER GUIDE 47

Chapter 4     GETTING STARTED

File Menu

Action Keyboard Shortcut

Open the File menu Alt+F

Exit DatAdvantage Alt+F+E

Tabs Menu

Action Keyboard Shortcut

Open the Tabs menu Alt+B

Go to the Work Area Alt+B+W

Go to the Review Area Alt+B+V

Go to the Statistics view Alt+B+S

Go to the Log view Alt+B+L

Go to the Reports view Alt+B+R

Go to the Alerts view Alt+B+A

Tools Menu

Action Keyboard Shortcut

Open the Tools menu Alt+T

Select the IDU Server option Alt+T+S

Select the DCF and DW option Alt+T+W

Select the DCF and DW > Configuration Alt+T+W+C

option

Select the DCF and DW > DCF and DW Alt+T+W+M

Monitor option

DATADVANTAGE 6.3 USER GUIDE 48

Chapter 4     GETTING STARTED

Action Keyboard Shortcut

Select the Follow Up option Alt+T+F

Select the Upload Follow Up Indicators Alt+T+U

option

Select the Manage Ownership option Alt+T+M

Select the Management Console option Alt+T+C

Select the Archive option Alt+T+A

Select the Archive > Archive Events Alt+T+A+E

option

Select the Archive > Archive Statistics Alt+T+A+S

option

Select the DatAlert option Alt+T+D

Select the Data Transport Engine option Alt+T+T

Select the DatAdvantage Operational Alt+T+P

Log option

Select the Options option Alt+T+O

Select the Commit History option Alt+T+H

Select the Reset Stored Credentials Alt+T+R

option

Select the Errors option Alt+T+E

Select the Errors > Export to Excel option Alt+T+E+E

Select the Discard Admin Changes Alt+T+G

option

Select the Discard Admin Changes > Alt+T+G+O

Only Active Resources option

DATADVANTAGE 6.3 USER GUIDE 49

Chapter 4     GETTING STARTED

Action Keyboard Shortcut

Select the Discard Admin Changes > All Alt+T+G+A

Resources option

Select the Log option Alt+T+L

Select the Log > Synchronize Latest Alt+T+L+O

Events > Only Active Resources option

Select the Log > Synchronize Latest Alt+T+L+A

Events > All Resources option

Help Menu

Action Keyboard Shortcut

Open the Help menu Alt+H

Select the Help > Support Assistant Alt+H+S

option

Select the Help > Contents and Index Alt+H+C

option

Select the Help > Legend option Alt+H+L

Select the Help > About option Alt+H+A

Work Area Panes

Action Keyboard Shortcut

Open and focus on or close the Existing Ctrl+1

Users and Groups pane

Open and focus on or close the Errors Ctrl+1

pane

Open or close the left pane (Existing Ctrl+L

Users and Groups)

Focus on the Directories pane Ctrl+M

DATADVANTAGE 6.3 USER GUIDE 50

Chapter 4     GETTING STARTED

Action Keyboard Shortcut

Open and focus on or close the right pane Ctrl+R

(Recommended Users and Groups)

Reload the pane that is in focus F5

Log View Panes

Action Keyboard Shortcut

Open and focus on or close the Users and Ctrl+1 (toggles between the Users and
Groups pane Groups pane and the Directories pane)

Open and focus on or close the Ctrl+1 (toggles between the Users and
Directories pane Groups pane and the Directories pane)

Open or close the left pane Ctrl+L

Open and focus on the Simple Search Ctrl+U

pane

Open and focus on the Advanced Search Ctrl+E

pane

Open and focus on the Log Results pane Ctrl+D

Reload the pane that is in focus F5

Reports View Panes

Action Keyboard Shortcut

Open and focus on or close the My Ctrl+1 (toggles between the My

Subscriptions pane Subscriptions pane and the Reports List
pane)

Open and focus on or close the Reports Ctrl+1 (toggles between the My
List pane Subscriptions pane and the Reports List
pane)

Open or close the left pane Ctrl+L

DATADVANTAGE 6.3 USER GUIDE 51

Chapter 4     GETTING STARTED

Action Keyboard Shortcut

Open and focus on the Filters tab Ctrl+2

Open and focus on the Columns tab Ctrl+3

Open and focus on the Display tab Ctrl+4

Open and focus on the Help View Ctrl+H

Open and focus on the Table View Ctrl+T

Reload the pane that is in focus F5

Closing DatAdvantage
To close DatAdvantage:
1. Save your work.
2. Select File > Exit. DatAdvantage is closed.

DATADVANTAGE 6.3 USER GUIDE 52

5 COMMON ACTIVITIES

Several elements are shared by most of the DatAdvantage views. The following subsections
describe these elements and provide general instructions for their use. For more specific
instructions for using these elements, see the relevant section in this guide.

Setting User Interface Display Options

To set UI display options:

1. Select Tools > Options.

2. Select the following options as required:

• Auto-load User and Groups pane. Disabling this option speeds up UI performance for
large user repositories. - Select or clear this option as required.
• Mark inconsistent ACLs - Mark entities that have broken permission inheritance.
• Enable display of legend-based ToolTips to describe icons and decorators on entities
throughout DatAdvantage - Select or clear this option as required.
• Improve accessibility for color-blind users (requires restart of DatAdvantage) - Select or
clear this option as required.
3. Click OK.

Switching Views
There are several ways to switch views in DatAdvantage:
• From the Tabs menu, select the required view.

DATADVANTAGE 6.3 USER GUIDE 53

Chapter 5     COMMON ACTIVITIES

• On the tool bar, click the relevant view selection tab to move to the required view.

• When you are working with an entity whose information appears in more than one view
(such as a user or directory), select the Jump To option from the shortcut menu (accessed by
right-clicking the relevant entity). This method enables you to switch to another view while
maintaining the context of the entity with which you were working.

• In the Statistics view, you can access the same shortcut menu by right-clicking a pie slice or a
bar in the relevant graph. If you jump to the Logs view, the log is automatically loaded with the
relevant filters, so that it reflects the events that comprise the selected graph portion.

Selecting Resources
Selecting the resource (that is, the file server or directory service), is the first step in managing the
user and directory environment in the rest of the Work Area. The Directories pane and permissions
for users and groups are based on the selection of the resource. The default resource is the first
one added to the system during installation of DatAdvantage.

All the network resources monitored by DatAdvantage are displayed in the Resources drop-down
list in the Directories pane. Resources located on all supported platforms can be displayed.

Exchange uses the concept of logical storage, called the storage group. A storage group may
comprise many Exchange Servers within a single domain. In the Directories pane, storage groups
are represented as resources.

Directory services are represented as containers in which domains reside. They are represented
as a flat list, regardless of the trust relationships between them.

In the Work Area and the Statistics view, you may select more than one resource.
• Work Area - Information about all selected resources is displayed in the Directories pane.

DATADVANTAGE 6.3 USER GUIDE 54

Chapter 5     COMMON ACTIVITIES

Important: It is strongly recommended that only up to ten resources be selected at the

same time. More than that will result in seriously decreased performance.

• Statistics view - Aggregated statistics are displayed for all selected resources.

To select a resource:

1. From the Resources drop-down list, select the required resource, or select All Resources. If
you selected All, all the resources defined in your environment are listed in the Resources
table.

2. Filter and sort the table as follows to quickly locate the relevant file server:
• In the Look For field, type the first few characters of the file server's name.

• In the results table, set filters in the first row under the table header as required.

DATADVANTAGE 6.3 USER GUIDE 55

Chapter 5     COMMON ACTIVITIES

• Click the header of any table column to sort the results by that column.
3. After you have located the required file server, select its checkbox.
4. To remove a resource, clear its checkbox.

Showing and Hiding Window Panes

To provide maximum flexibility, DatAdvantage window panes can be shown or hidden as
necessary.

To show or hide a window pane:

• Click the pane's show/hide bar, which looks like this:

The pane is shown or hidden as relevant.

Using the Current Active Entity List

The Current Active Entity drop-down list is located at the top right of the window. Your selection
from this list sets the entity throughout DatAdvantage.

Use the Current Active Entity list according to the following guidelines:
• Each time you select an entity in one of the main panes (Resources, Directories or Users &
Groups), it is added to the Current Active Entity list.
• You can also select an entity from the list itself to make it the current active entity.
• Click the Move Forward and Move Back buttons to navigate the list as required.
• The list can contain up to 50 entities at a time.
• Entities in the list have the following naming convention:
<Entity icon> <View name>:<Entity name>
• If you select an entity that is located in a different view, the view is switched, and view
preferences (such as timeframe and filters) are refreshed accordingly.

DATADVANTAGE 6.3 USER GUIDE 56

Chapter 5     COMMON ACTIVITIES

Using the Directory Services Search Dialog Box

The Directory Services Search dialog box is used throughout DatAdvantage to specify the users
and groups that are required for various activities.

To use the Directory Services Search dialog box:

1. Open the dialog box from the relevant view, pane or entity.

2. From the OUs drop-down list, select the organizational unit in which the required user is
located. The OU's users are displayed.
3. Select the following options as relevant:
• Include computer accounts - Select to include computer accounts in the search results
• History - Select to include
4. Enter the search criteria:
• Search field - Enter the name (or the first few letters) of the entity you want to find.
• In field - From the drop-down list, select an Active Directory property by which to further
filter the search.
• Search field - Type the first few letters of the relevant entity's name.
5. Click Search.

DATADVANTAGE 6.3 USER GUIDE 57

Chapter 5     COMMON ACTIVITIES

The entities whose properties match the search criteria are displayed in the center pane of
the dialog box.
6. From the center pane, select the relevant entity.
7. Click Add.
The entity is moved to the bottom pane of the dialog box.
8. Repeat to add other users to the group.
9. Click OK.
The dialog box is closed, and the users are added to the group. The users are marked with
green plus signs ( ) and the group is marked with a yellow pencil ( ).

Using the Directory Picker Dialog Box

The Directory Picker dialog box is used throughout DatAdvantage to specify the directories that
are required for various activities.
To use the Directory Picker dialog box:

1. Open the dialog box from the relevant view, pane or entity.

2. Use the Resources drop-down list and the Look For field to search for the required directory.
3. Click Search.

DATADVANTAGE 6.3 USER GUIDE 58

Chapter 5     COMMON ACTIVITIES

The entities whose properties match the search criteria are displayed in the center pane of
the dialog box.
4. From the center pane, select the relevant entity.
5. Click Add.
The entity is moved to the bottom pane of the dialog box.
6. Repeat steps 4 and 5 to select additional entities.
7. Click OK.

Navigating Directories and Files

There are several ways you can navigate directories and files. You can:
• Search for specific directories and files
• View additional property information about directories and files, such as types of permissions
or other indicators
• "Prune" the search results to pinpoint the directories or files you need
• Set the columns in the contextual display
• Use filters to pinpoint the directories or files you need

Searching for Directories and Files

To search for directories and files:
1. In the Directories pane, locate the entity you want to work with.
2. In the Look For field, type a text string you want to search for. There is no need to add
asterisk (*) or percent (%) wildcards.
3. Click Search.
The directories and files whose names include the string you typed are displayed in the
Directories pane.

Understanding Logical and Physical Views

DatAdvantage provides full visibility of effective permissions on the file system (CIFS), based on
both NTFS and share permissions. Such visibility is based on a logical folder view, in which folders
are presented from the perspective of the shares instead of the physical structure of the real folder
tree. When a resource is expanded, its shares are displayed as the first-level folders instead of its
volumes.

DATADVANTAGE 6.3 USER GUIDE 59

Chapter 5     COMMON ACTIVITIES

Note: This has no relevance for directory service probing.

Understanding Share Permissions on Folders

Example 1
The following illustrates the allocation of permissions on a given folder:
• Share Permissions
• Everyone - Read
• Engineering - Full Control
• NTFS Permissions
• QA - Modify
• IT - Full Control

Consider the group nesting: Engineering is the parent of QA. The following views are displayed in
the Users & Groups panes:
• Share Permissions
• Everyone - Read
• Engineering - Full Control
• File System Permissions
• QA - Modify
• IT - Full control
• Effective Permissions
• QA - Modify
• IT - Read

DATADVANTAGE 6.3 USER GUIDE 60

Chapter 5     COMMON ACTIVITIES

Example 2
The following illustrates the allocation of permissions on a given folder:

• Share Permissions
• QA - Read
• Engineering - Full Control
• IT - Read
• NTFS Permissions
• Everyone - Modify

The following views are displayed in the Users & Groups panes:

• Share Permissions
• QA - Read
• IT - Read
• Engineering - Full Control
• File System Permissions
• Everyone - Modify
• Effective Permissions
• QA - Read
• IT - Read
• Engineering - Modify

Switching to the Logical View

For non-CIFS resources (such as SharePoint, Unix and Exchange), the folder structure is displayed
as usual in the logical view. This means that even if the view state is switched to Logical, the real
folder tree is presented, just as it is in the physical view.

For mixed-mode resources (which include both CIFS and non-CIFS folders), the tree structure
presents all shares as well as the non-CIFS mount points at the first level.

To switch to the logical folder view:

1. In the Directories pane, click the View button.

The View menu is displayed.
2. Select Logical.
The tree is arranged in the logical view.

DATADVANTAGE 6.3 USER GUIDE 61

Chapter 5     COMMON ACTIVITIES

Switching to the Physical Folder View

To switch to the physical folder view:

1. In the Directories pane, click the View button.

The View menu is displayed.
2. Select Physical.
The tree is arranged in the physical view.

Focusing on Directories and Files by View State

In order to locate search results efficiently, you can set the following view states in the Directories
pane:
• Simple list
• Pruned tree
• Arrow tree

DATADVANTAGE 6.3 USER GUIDE 62

Chapter 5     COMMON ACTIVITIES

To set the view for search results:

1. Search for the required directories or files.

2. On the button bar, click View > Focus.
3. From the submenu, select the relevant view option:
• List - Presents the search results in a simple list, including the full access path for each
record.

Note: The list is constrained to a predefined number of values, which can be

configured in the GUI configuration files.

• Pruned Tree - Presents the search results in a partial tree structure. Leaves that do not
match the search criteria are disabled.

• Arrow Tree - Presents the search results in a full tree structure. Arrows are used to indicate
the relevant results.

DATADVANTAGE 6.3 USER GUIDE 63

Chapter 5     COMMON ACTIVITIES

Viewing the Tree According to Permission Types

To view folders according to permission type:

Note: This has no relevance for directory service probing.

1. In the relevant Users and Groups pane, double-click the entity whose permissions you want to
review.
2. In the Directories pane, click the View button.
The View menu is displayed.
3. Select Permissions, and then select the relevant option from the submenu:
• File system permissions - Displays the file system permissions for the permitted folders.
This option is available in both the physical and the logical views.
• Share permissions - Displays the share permissions for the permitted folders. This option is
only available in the logical view.
• Effective permissions - Displays the effective file system permissions for the permitted
folders, as masked by the share permissions. This option is only available in the logical
view.

Grouping Exchange Entities

An Exchange resource can contain tens of thousands of mailboxes. Since opening such a large
number would have a serious impact on performance, DatAdvantage provides the means to group
mailboxes in the Directories pane:
• Alphabetically - A folder is automatically created for every letter or group of letters, and the list
of mailboxes is distributed among folders accordingly. If the folders still contain more than the
optimal number of mailboxes, an additional layer of alphabetic grouping is nested within each
folder.

DATADVANTAGE 6.3 USER GUIDE 64

Chapter 5     COMMON ACTIVITIES

Note: The entire grouping mechanism functions according to the predefined

configuration of the maximum number of objects allowed in a group.

• Dynamically - If a user or group is selected (double-clicked), mailboxes are automatically

arranged in the Directories pane in the following groups:
• Changed - The mailboxes for which the selected entity's permissions have changed
• Not Permitted - The mailboxes the selected entity cannot access
• Permitted - The mailboxes for which the selected entity has access rights

Grouping Exchange Entities Alphabetically

To group Exchange entities alphabetically:

1. In the Directories pane, click the View button.

The View menu is displayed.
2. Select Exchange Grouping > Alphabetical Grouping. A folder is automatically created
for every letter or group of letters, and the list of mailboxes is distributed among folders
accordingly. If the folders still contain more than the optimal number of mailboxes, an
additional layer of alphabetic grouping is nested within each folder.

Grouping Exchange Entities Dynamically

To group Exchange entities dynamically:

1. In the relevant Users and Groups list, locate the entity whose mailbox you want to work with.
2. Double-click the entity to display the mailboxes to which it is related in the Directories pane.
3. In the Directories pane, click the View button.
The View menu is displayed.
4. Select Exchange Grouping > Dynamic Grouping. The mailboxes are automatically arranged
in the Directories pane in the following groups:
• Changed - The mailboxes for which the selected entity's permissions have changed
• Not Permitted - The mailboxes the selected entity cannot access
• Permitted - The mailboxes for which the selected entity has access rights
5. If necessary, select Permissions > Exchange Grouping > Alphabetic Grouping to add an
additional layer of alphabetic grouping to the dynamic grouping.

DATADVANTAGE 6.3 USER GUIDE 65

Chapter 5     COMMON ACTIVITIES

Showing and Hiding Management Indicators

To show or hide icons ( ) indicating folders that are managed in the Metadata Framework:

1. In the Directories pane, click the View button.

The View menu is displayed.
2. Select Indicators > Managed Folders.
• If the management indicators are hidden, this action displays them.
• If they are displayed, this action hides them.

Showing and Hiding Deduplication Indicators

To show or hide icons ( ) indicating folders on which deduplication is enabled:

1. In the Directories pane, click the View button.

The View menu is displayed.
2. Select Indicators > Deduplication.
• If the deduplication indicators are hidden, this action displays them.
• If they are displayed, this action hides them.

Viewing Columns in the Directories Pane

The Directories pane includes several columns of information about each directory or OU. The
following columns are always displayed:
• Directory - A tree view displaying the selected resources and their objects
• File System Permissions - The current permissions of the object
• Share Permissions - The current share permissions of the object
• Explanations - Explanation of the changes made to the object's permissions
• Total Hit Count (Inc. Subfolders) - The number of times a DCF rule returns a result on a file. For
folders, this represents the total number of hits on the files within the folder for a rule.
• Size - The directory's logical size, in bytes (not relevant for directory service probing)
• Classification Results

To display other columns in the Directories pane, do one of the following:

• Select View > Columns; or
• Right-click the header row of the Directories pane, and select the relevant column name from
the context menu. You may select more than one.

DATADVANTAGE 6.3 USER GUIDE 66

Chapter 5     COMMON ACTIVITIES

The selected columns are displayed. The Directories pane provides the following additional
information about directories:

• Physical Size (After Deduplication) - The directory's physical size, in bytes, after
deduplication is enabled on the volume (not relevant for directory service probing)
• Contained Files/Objects - The number of files in the directory or the OU
• Modified - The last date on which the directory was modified, or the last time at which the
OU object was modified
• Accessed - The last time the directory was accessed (not relevant for directory service
probing)
• Server - The server on which the directory or OU resides
• Owner - The person responsible for the directory or OU object
• Flags (All) - Directories that have any sort of flag (global or personal) attached to them
• Flags (Global) - Directories that have global flags attached to them
• Flags (Personal) - Directories that have personal flags attached to them
• Tags - Directories that have tags attached to them
• Notes - Directories that have notes attached to them

Filtering Directories and Files

To filter directories and files:

1. In the Directories pane, click the Filters button.

The Filters menu is displayed.
2. Select the relevant filter:
• Classification Rules - From the submenu, select the rule by which to filter directories and
files. You can select more than one rule. The files and directories in the Directories pane
are filtered to show only files with a hit count greater than zero on the selected rule(s).

DATADVANTAGE 6.3 USER GUIDE 67

Chapter 5     COMMON ACTIVITIES

Note: Only rules that were run on files on which hits were detected are displayed in
the submenu.

• Flags - From the submenu, select the flag by which to filter directories and files (this option
is only displayed if flags are defined).
• Tags - From the submenu, select the tag by which to filter directories and files (this option
is only displayed if tags are defined).
• Notes - From the submenu, select the note by which to filter directories and files (this
option is only displayed if notes are defined).
• Edited Directories - Select to display only directories and files that have been edited in
DatAdvantage.
• Error Directories - Select to display only directories and files that have errors in
DatAdvantage.
• Attributes - From the submenu, select the permission attribute by which to filter directories
and files. Options are:
• Protected
• Unique
• Inherited
• Ownership - From the submenu, select the management attribute by which to filter
directories and files. Options are:
• Managed
• Unmanaged
• Data Transport Engine - Select to display only the directories used in data transport rules.

Clearing Filters
To clear filters and flags in the Directories pane:

1. In the Directories pane, click the Filters button.

The Filters menu is displayed.
2. Select Clear All Filters.

Navigating User and Group Lists

Users groups are organized in two different tree views:
• Existing Users and Groups - The actual users and groups in the organization, located by
default on the left side of the Work Area. (However, this pane is hidden by default. To display it,
click the Show/Hide button.) When you select an existing user or group, its actual directory and
file permissions are displayed in the Directories pane in the center of the window.
• Recommended Users and Groups - The users and groups that DatAdvantage recommends,
displayed by default on the right side of the Work Area. When you select a recommended user
or group, DatAdvantage's recommended directory and file permissions are displayed in the
Directories pane in the center of the window. The recommendations overwrite the existing
users and groups when they are committed to the database.

DATADVANTAGE 6.3 USER GUIDE 68

Chapter 5     COMMON ACTIVITIES

For convenience, procedures that can be carried out on both lists are only explained once.

Reloading User or Group Information

To reload user or group information:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. In the list (existing or recommended), click the Reload button. The list is reloaded with the
most updated information.

Arranging Users and Groups

Sorting options vary depending on whether you have selected the actual list of users and groups,
or the recommended list. There is a Sort button for each list.
To sort the lists of users and groups:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click the Arrange By button for the list you want to sort (either the actual list of users and
groups, or the recommended list). A drop-down list is displayed.
3. From the drop-down list, select the required sort option:
• Name - Select to arrange the list by the displayed user or group name. This option is
available for both lists.
• Type - Select to arrange the list into users or groups as required. This option is available
for both lists.
• Status - Select to arrange the list according to the status of users and groups; that is, those
that have been added, removed, or undergone other changes. This option is only available
for the recommended list of users and groups.
• Email Address - Select to arrange the list by email address (if Exchange or Exchange
Online is installed).
• Has Errors - Select to arrange the list by entities that have errors. This option is only
available for the recommended list of users and groups.
• User Edited - Select to sort the list according to users and groups that have been manually
edited. This option is only available for the recommended list of users and groups.

The list is sorted.

DATADVANTAGE 6.3 USER GUIDE 69

Chapter 5     COMMON ACTIVITIES

Filtering User and Group Lists

To filter the list of users and groups:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click the Filters button.
3. From the submenu, select the required filter options. You may select as many as necessary;
however, the selection of conflicting filters does not return results.
• Entities - From the submenu, select the type of entity by which to filter the list. Options are:
• Distribution Groups
• Security Groups
• Users
• Computers
• Account Management - From the submenu, select an option to filter the list by
management activity. Options are:
• Enabled users with expired passwords
• Accounts that are enabled but stale
• Locked-out users
• Accounts that are disabled and stale
• Enabled users with password about to expire
• Enabled users with account about to expire
• Users with password that never expires
• Accounts with expiration date
• Stale accounts
• Users with expired passwords
• Flags - From the submenu, select the flag by which to filter users and groups (this option is
only displayed if flags are defined).
• Top-Level Flags Only - Select to filter the list by top-level flags.
• Tags - From the submenu, select the tag by which to filter users and groups (this option is
only displayed if tags are defined).
• Top-Level Tags Only - Select to filter the list by top-level tags.
• Notes - From the submenu, select the note by which to filter users and groups (this option
is only displayed if notes are defined).
• Changed Objects - From the submenu, select the type of change by which to filter the list.
Options are:
• IDU Analysis - Filter by changes recommended by IDU Analytics.
• Edited - Filter by manual changes.
• Disabled - From the submenu, select an option to filter the list by enabled or disabled
objects. Options are:
• Enabled
• Disabled

DATADVANTAGE 6.3 USER GUIDE 70

Chapter 5     COMMON ACTIVITIES

• Inactive - From the submenu, select an option to filter the list by active or inactive objects.
Options are:
• Active
• Inactive
• Children - From the submenu, select an option to filter the list by objects having children or
not. Options are:
• No children
• Has children
• Ownership - From the submenu, select an ownership option by which to filter the list.
Options are:
• Unmanaged
• Managed
• IDU Analytics Exclusion - From the submenu, select an option to filter the list by objects
that are included or excluded from processing by IDU Analytics. Options are:
• Included
• Excluded
• Only Changed Users and Groups - Select to display only users and groups whose
permissions have been changed.
• Clear Filters

The list is filtered.

Switching between Parent and Child Views

When the list of users and groups is arranged by parents, groups appear at the main nodes. Each
group's users are displayed at the sub-nodes.

DATADVANTAGE 6.3 USER GUIDE 71

Chapter 5     COMMON ACTIVITIES

When the list of users and groups is arranged by children, users appear at the main nodes. Each
user's groups are displayed at the sub-nodes.

You can easily switch between parent and child views in both the Existing Users and Groups and
the Recommended Users and Groups lists.

To switch between parent and child views:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. In the Users and Groups pane, click the View button.
The View menu is displayed.
3. Do one of the following:
• If the entity list is arranged by parents, click the Children button to arrange the list by
children
• If the entity list is arranged by children, click the Parents button to arrange the list by
parents.

The list is arranged as required.

DATADVANTAGE 6.3 USER GUIDE 72

Chapter 5     COMMON ACTIVITIES

Viewing Users and Groups According to Permission Types

To view users and groups according to permission type:

Note: This has no relevance for directory service probing.

1. Set the Directories pane to the relevant view, either Physical or Logical.
2. In the relevant Users and Groups pane, double-click the entity whose permissions you want to
review.
3. In the Users and Groups pane, click the View button.
The View menu is displayed.
4. Select Permissions, and then select the relevant option from the submenu:
• File system permissions - Displays the file system permissions for the permitted folders.
This option is available in both the physical and the logical views.
• Share permissions - Displays the share permissions for the permitted folders. This option is
only available in the logical view.
• Effective permissions - Displays the effective file system permissions for the permitted
folders, as masked by the share permissions. This option is only available in the logical
view.

Selecting Display Name Settings for Users or Groups

With DatAdvantage, you can set user and group names to be displayed according to any of the
following conventions:

• Display name (Domain)

• User name (Domain)
• UserName@Domain
• Email address
• Customized convention

To select display name settings:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click View > Display Name.

DATADVANTAGE 6.3 USER GUIDE 73

Chapter 5     COMMON ACTIVITIES

3. From the submenu, select the required naming convention.

4. To set a customized convention, select Custom. The Display Name Configuration dialog box
is displayed.

5. In the Your Format field, type the required naming convention. Be sure to use one of the
following patterns:
• User Name
• Display Name
• Domain

UserName@Domain results in JohnDoe@MyDomain

6. Click OK. The Users and Groups lists are set to your selection.

Showing or Hiding Managed Group Indicators

You can easily show or hide the Managed Group indicator: .

To toggle the Managed Group indicator:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click View > Indicators > Managed Groups. The Managed Groups indicators are toggled on
or off, as relevant.

DATADVANTAGE 6.3 USER GUIDE 74

Chapter 5     COMMON ACTIVITIES

Showing or Hiding Inactivity Indicators

You can easily show or hide the Inactivity indicator:

To toggle the Inactivity indicator:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click View > Indicators > Inactive. The Inactivity indicators are toggled on or off, as relevant.

Showing or Hiding Excluded from IDU Analytics Indicators

You can easily show or hide the Excluded from IDU Analytics indicator:
To toggle the Excluded from IDU Analytics indicator:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click View > Indicators > Excluded from IDU Analytics. The Excluded from IDU Analytics
indicators are toggled on or off, as relevant.

DATADVANTAGE 6.3 USER GUIDE 75

Chapter 5     COMMON ACTIVITIES

Editing the Displayed Columns

You can select several Active Directory properties for display as columns in Users and Groups
panes.

To select properties for display as columns:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click Edit Columns.
The Edit Columns dialog box is displayed.

3. Select the required properties from the Available Columns pane on the left, and click the right
arrow to move them into the Selected Columns list.
4. Use the Up and Down buttons to arrange the order in which the columns are displayed.
5. Click OK.
The selected columns are added to the Users and Groups pane you are working with.

Note: You can set different columns for each of the Users and Groups panes.

6. In the Users and Groups pane, drag the column dividers to the preferred width.
• The columns are saved as you personalized them, including their selection, order and
width.
• The Users and Groups list can be sorted by these columns, through the Arrange by
button.

DATADVANTAGE 6.3 USER GUIDE 76

Chapter 5     COMMON ACTIVITIES

Selecting Organizational Units

If you have defined organizational units, you can filter the user list to display only users from
a specific unit within your domain. If no organizational units are defined, or if you are using a
Windows NT domain, the list displays the current domain and cannot be filtered.

To filter the list of users and groups by organizational unit:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click the Org. units field.
3. Select the relevant option to filter the list of organizational units by domain or local host:
• All domains and local hosts - All domains and local hosts are automatically selected.

• Select specific domain or OU - Double-click the relevant domain or OU, or choose it and
click Select.

DATADVANTAGE 6.3 USER GUIDE 77

Chapter 5     COMMON ACTIVITIES

• Select specific local host - Double-click the relevant local host, or choose it and click
Select.

DATADVANTAGE 6.3 USER GUIDE 78

Chapter 5     COMMON ACTIVITIES

The list is filtered so that only users and groups defined for the selected organizational unit
are displayed.

Moving Users and Groups to the Top of the List

To move a user or group to the top of the list:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select the required user.
3. Right-click, and from the context menu, select Bring to Top. The user or group is moved to the
top of the list.

Searching for Users or Groups

To search for a particular user or group:
1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. In the Look For field, type the first few letters of the required user or group.
3. Click Search if the button is visible (if it is not visible, the search is performed automatically).

Viewing Azure Active Directory Objects in the Users & Groups Pane
You can view Azure Active Directory users and groups in the Existing Users and Groups and
Recommended Users and Groups panes. You can also view Azure Active Directory users and
groups that were synchronized to on-premises Active Directory.

The list of users retrieved from Azure Active Directory are matched with the list of domain forest
users. In terms of permissions visibility, synchronized users are represented as domain users in the
DatAdvantage UI.

Note: If the Azure Active Directory Sync configuration was configured to disable Active
Directory synchronization, the Active Directory and Azure Active Directory objects are
displayed as two separate entities in the DatAdvantage UI.

DATADVANTAGE 6.3 USER GUIDE 79

Chapter 5     COMMON ACTIVITIES

To view Azure Active Directory objects in the Users & Groups pane:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Click the Org. units field.
3. To view users and groups defined for all domains and local hosts (including cloud users and
groups from the Azure domain), select All domains and local hosts.
A list of users and groups defined for all domains and local hosts are displayed. Synchronized
objects are represented as domain objects in the Users & Groups pane. Cloud users and
groups that were created in Azure Active Directory are marked with the cloud icon.

Note: When selecting a cloud user or group, its permissions on the online file servers
are displayed. Alternatively, when selecting a synchronized object, its permissions on
both on-premises and online file servers are displayed.

4. To view only objects from the Azure Active Directory:

a. Select Select specific domain or OU and choose Azure Domain.

b. Click Select.
Azure Active Directory users and groups are displayed and marked with the cloud icon.
Synchronized objects are marked as Synced.

DATADVANTAGE 6.3 USER GUIDE 80

Chapter 5     COMMON ACTIVITIES

Note: You cannot view the permissions of synchronized objects if you have selected to
display only users or groups from the Azure domain in the Users & Groups pane. In this
case, to view the object's permissions, you must first locate the domain user or group.
For more information, see Locating Domain Users and Groups.

Managing Ownership and Custodianship

There are several ways to add owners and custodians to entities:

• Ownership dialog box - To manage all the objects belonging to a particular owner.
• Drag-and-drop - To add a particular owner to an entity, or vice versa. Custodians cannot be
added by drag-and-drop.

About Uploading Owners

After initial installation of DatAdvantage, you can easily upload a single comma-separated list (in a
CSV file) of all the owners to be assigned in the system.

Note: If DataPrivilege is installed and synchronized with DatAdvantage, ensure your list
does not place a managed folder above or below an existing managed folder. Line items
contradicting this rule will be ignored.

DATADVANTAGE 6.3 USER GUIDE 81

Chapter 5     COMMON ACTIVITIES

Preparing the CSV File for Uploading Owners

The CSV file must have the following format:

<OwnerName>|<ResourceName>|<folder/group>|<type>|<ActionType>|
<OriginalOwner>

Where:

• The pipe sign ( | ) is used as a separator.

• OwnerName is in the format of Domain\SAM account name, where Domain is written in
FQDN format and SAM account name is the user logon name (pre-Windows 2000).
• ResourceName is either the file server name or the domain name, written exactly as they are
configured in DatAdvantage (either FQDN or NetBIOS). Wild cards are supported.
• Folder/group is the physical path of the folder to manage, or the group name in the format
of Domain\SAM account name, where Domain is written in FQDN format and SAM account
name is the user logon name (pre-Windows 2000). For custodianship, this is left empty. Wild
cards are supported.
• Type - One of the following options:
• Dom – Domain
• R - Resource
• Gr – Group
• Dir- Folder

Wild cards are supported.

• ActionType is the action that is being performed. The following options are available:
• Add - Assigns ownership to an object, used when no other option is specified.
• Del - Removes ownership from one or more objects.
• Replace - Replaces the current owner with the original owner.

The ActionType field is optional. The ActionType field is only required if the Del or Replace
options are selected.
• OriginalOwner is the name of the original owner in the format of Domain\SAM account
name, where Domain is written in FQDN format and SAM account name is the user logon
name (pre-Windows 2000). If the Replace ActionType is selected, the original owner
replaces the current owner. The OriginalOwner field is only required if the Replace
ActionType is selected.

To set David as the owner of the Engineering folder:

Varonis.com\david|NetApp1|/vol/vol0/Engineering|Dir

To set Richard E. as the custodian of the Varonis.com domain:

Varonis.com\Richarde|Varonis.com||Dom|Add

To set Janet as the owner of the PM group on the portal:

DATADVANTAGE 6.3 USER GUIDE 82

Chapter 5     COMMON ACTIVITIES

Varonis.com\janetr|Portal.varonis.com|Portal.varonis.com
\PM|Gr

To replace David (the current owner) with Mary (the new owner) as the owner of
all folders owned by David:

Varonis.com\mary|*|*|Dir|Replace|Varonis\david

To replace David (the current owner) with Mary (the new owner) as the owner of
the Engineering folder:

Varonis.com\mary|NetApp1|/vol/vol0/Engineering|Dir|
Replace|Varonis\david

To remove David as the owner of the Engineering folder:

Varonis.com\david|WinFS1|D:\Share/Engineering|Dir|Del

Uploading Owners in Bulk

To upload owners in bulk:

1. Select Tools > Manage Ownership.

The Manage Ownership window is displayed.

2. Click Upload.
3. Browse to upload your previously prepared CSV file.
4. Click OK.

DATADVANTAGE 6.3 USER GUIDE 83

Chapter 5     COMMON ACTIVITIES

Assigning Owners, Custodians and Entities Throughout the System

Use the Manage Ownership dialog box to control ownership or custodianship of a number of
managed entities. Because there may be many managed entities in the system, the entities
presented in the dialog box are grouped by file server. However, you can also choose to group
entities by owner or custodian as necessary (see Grouping Lists and Tables by Column).

In addition, you can assign groups as resource custodians to grant all users in the group custodian
privileges on the file server. You can assign security or distribution groups as custodians. If a user
is a folder owner on the resource, the user can also be defined as a custodian. In this case, the
user is limited to custodian privileges only on the file server.

To add owners or custodians to entities:

1. Select Tools > Manage Ownership.

The Manage Ownership window is displayed.

2. Click Add. The Set Ownership dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 84

Chapter 5     COMMON ACTIVITIES

3. In the Choose Owners area, click Select. The Directory Services Search dialog box is
displayed.
4. Select the users you want to set as owners or domain custodians or groups that you want to
set as custodians or select the groups you want to set as resource custodians.

Note: Selecting Azure Active Directory users is not supported.

a. Add users as necessary.

b. Click OK. The dialog box is closed, and the are added to the Choose Owners area.

DATADVANTAGE 6.3 USER GUIDE 85

Chapter 5     COMMON ACTIVITIES

5. In the Choose Managed Entities area, select the type of entity to which you want to add the
owners from the Entity Type drop-down list.
• To add an owner, select Group or Directory as relevant. Selecting Azure Active Directory
groups is not supported.
• To add a custodian, select Domain or File Server as relevant.

Note: You can add groups to file servers and domains only.

6. Select the actual entity from the drop-down list to the right of the selected entity type.
7. Click Add. Your choices are added to the Selected Managed Entities area.

DATADVANTAGE 6.3 USER GUIDE 86

Chapter 5     COMMON ACTIVITIES

8. Click OK.
The owners or custodians and their assigned entities are displayed in the Manage Ownership
dialog box.

DATADVANTAGE 6.3 USER GUIDE 87

Chapter 5     COMMON ACTIVITIES

Assigning Managed Entities to a Single Owner

You can assign groups and directories to be managed by a selected owner.

Note: Entities cannot be assigned to custodians through this method.

1. In the Users and Groups pane, right-click the relevant user.

2. From the context menu, select Manage Ownership.
The Manage Ownership dialog box is displayed.

3. To add entities to the owner, click Add. The Entity Picker dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 88

Chapter 5     COMMON ACTIVITIES

4. From the Entity Type drop-down list, select the type of entity to which you want to add the
owner.
5. Click Select to select groups, directories, File Servers, or domains. The dialog box that is
displayed depends on the entity type you chose.
6. Select the required entities.

Note: Selecting Azure Active Directory users is not supported.

The entities are added to the Entity Picker dialog box.

DATADVANTAGE 6.3 USER GUIDE 89

Chapter 5     COMMON ACTIVITIES

7. Click OK.
The owners and their assigned entities are displayed in the Manage Ownership dialog box.

Adding Managed Resources to a Single Group

You can assign domains and file servers to a single group, to be managed by the group's direct
members.

1. In the Users and Groups pane, right-click the relevant group.

2. From the context menu, select Add Managed Resources.
The Add Managed Resources dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 90

Chapter 5     COMMON ACTIVITIES

Note: The Add Managed Resources option is not be available when right-clicking
abstract, global or virtual groups.

3. To add resources, click Add. The Pick Entities to Manage dialog box is displayed.

4. From the Entity Type drop-down list, select the type of entity to which you want to add the
owner. Selections are Domain and File Server.
5. Click Add to add the entities.
The entities are added to the Entity Picker dialog box.

DATADVANTAGE 6.3 USER GUIDE 91

Chapter 5     COMMON ACTIVITIES

6. Click OK.
The entities are displayed in the Manage Ownership dialog box.

Setting Ownership on a Group

This procedure describes how to set ownership on a group. You can assign groups and directories
to be managed by a selected owner.

Note: Entities cannot be assigned to custodians through this method.

1. In the Users and Groups pane, right-click the relevant group.

2. From the context menu, select Set Ownership.
The Set Ownership dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 92

Chapter 5     COMMON ACTIVITIES

3. To add entities to the owner, click Add. The Directory Services Search dialog box is
displayed.

DATADVANTAGE 6.3 USER GUIDE 93

Chapter 5     COMMON ACTIVITIES

4. In OUs , select the domain, local host, or OU.

5. Use the search function to filter the possible results (or leave empty), and click Search.
All matching entities are displayed.

DATADVANTAGE 6.3 USER GUIDE 94

Chapter 5     COMMON ACTIVITIES

6. Select the required entities and click Add.

The entities are added to the Directory Services Search dialog box.

DATADVANTAGE 6.3 USER GUIDE 95

Chapter 5     COMMON ACTIVITIES

7. Click OK.
The owners and their assigned entities are displayed in the Set Ownership dialog box.

Assigning Owners to a Single Managed Directory

You can assign owners to a single managed directory.

To assign owners to a single managed directory:

1. In the relevant Directories pane, right-click the relevant entity.

2. From the context menu, select Manage Ownership.
The Manage Ownership dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 96

Chapter 5     COMMON ACTIVITIES

3. Click Add.
The Directory Services Search dialog box is displayed.
4. Select owners for the entity as required.

Note: Selecting Azure Active Directory users is not supported.

5. Click OK.
The entity's owners are displayed in the Manage Ownership dialog box.

Dragging and Dropping Owners and Entities

You can quickly assign a single owner to a single entity, and vice-versa, by dragging and dropping.
• To assign an owner to an entity, drag the owner's name to the target entity.
• To assign an entity to an owner, drag the entity's name to the target owner.
• When the confirmation message is displayed, click Yes.

Note: Entities cannot be assigned to custodians through this method.

Filtering the Managed Entities List

If the Ownership dialog box lists a large number of entities, you can use the search filters to locate
a smaller selection of entities.

To filter the Managed Entities list:

1. Select Tools > Manage Ownership.

The Manage Ownership window is displayed.

DATADVANTAGE 6.3 USER GUIDE 97

Chapter 5     COMMON ACTIVITIES

2. At the top of the Manage Ownership dialog box, select the type of entity by which you want
to filter.
3. If you are filtering by location, select the file server you want to work with from the second
drop-down list.
4. In the text field, enter the string by which you want to filter the list. The Managed Entities list is
filtered.

DATADVANTAGE 6.3 USER GUIDE 98

Chapter 5     COMMON ACTIVITIES

Replacing or Cloning Owners Throughout the System

You can easily replace one owner with another for all the relevant entities, without searching for
each owned entity separately. You can also clone ownership from one owner to another, such that
all ownership definitions are copied to the new owner, leaving the definition of the original owner
intact.

Notes:
• If the new owner is a group while the original owner does not own a file server or domain, an
error occurs - groups can only be defined as file server or domain custodians.
• If the original owner is a custodian and also a directory/group owner, and the new owner is
a group, the replacement must be applied only on the relevant file servers/domains (without
applying the directory/group ownership).

To replace/clone an owner with another owner:

1. Select Tools > Manage Ownership.

The Manage Ownership window is displayed.

2. Do one of the following:

• Click Replace Owner - To replace an owner across the entire system
• Select an entity in the table and then click Replace Owner - To replace only the selected
entity's owner.

The Replace Owner dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 99

Chapter 5     COMMON ACTIVITIES

3. Use the relevant Browse buttons to select both the original and new owners (if you selected
an entity in the Ownership table, the original owner is already populated).
4. Select the required operation. Options are:
• Replace original owner with new owner - Select to replicate all the original owner's
definitions to the new owner, leaving the original owner with no owned entities
• Clone ownership from original owner to new owner - Select to copy all the original owner's
definitions to the new owner, leaving the original owner's definitions intact
5. Click OK.

Removing Owners or Custodians from Entities

To remove a user's ownership or custodianship of one or more entities:
1. Select Tools > Manage Ownership.
The Manage Ownership window is displayed.

DATADVANTAGE 6.3 USER GUIDE 100

Chapter 5     COMMON ACTIVITIES

2. In the Manage Ownership dialog box, do one of the following:

• Select the checkbox of the entity whose owner you want to remove.
• Select the checkbox on the header row of the grid to select all entities in the grid whose
owners you want to remove.
3. Click Remove.
The owners or custodians are removed from the entities.

Exporting Owner Lists to CSV

In addition to defining and subscribing to report 10a, you can easily export a list of owners for the
selected objects to a CSV file.

To export a list of owners per object to CSV:

1. Select Tools > Manage Ownership.

The Manage Ownership window is displayed.

DATADVANTAGE 6.3 USER GUIDE 101

Chapter 5     COMMON ACTIVITIES

2. Click Save As and save the file to the required location (this only saves the current search, not
all defined owners). The file takes the following format:
• The pipe sign ( | ) is used as a separator.
• OwnerName is in the format of Domain\SAM account name, where Domain is written in
FQDN format and SAM account name is the user logon name (pre-Windows 2000).
• ResourceName is either the file server name or the domain name, written exactly as they
are configured in DatAdvantage (either FQDN or NetBIOS). Wild cards are supported.
• Folder/group is the physical path of the folder to manage, or the group name in the
format of Domain\SAM account name, where Domain is written in FQDN format and
SAM account name is the user logon name (pre-Windows 2000). For custodianship, this is
left empty. Wild cards are supported.
• Type - One of the following options:
• Dom – Domain
• R - Resource
• Gr – Group
• Dir- Folder

Wild cards are supported.

• ActionType is the action that is being performed. The following options are available:
• Add - Assigns ownership to an object, used when no other option is specified.
• Del - Removes ownership from one or more objects.
• Replace - Replaces the current owner with the original owner.

The ActionType field is optional. The ActionType field is only required if the Del or
Replace options are selected.
• OriginalOwner is the name of the original owner in the format of Domain\SAM
account name, where Domain is written in FQDN format and SAM account name is

DATADVANTAGE 6.3 USER GUIDE 102

Chapter 5     COMMON ACTIVITIES

the user logon name (pre-Windows 2000). If the Replace ActionType is selected, the
original owner replaces the current owner. The OriginalOwner field is only required if
the Replace ActionType is selected.

About Change Management and Commit

DatAdvantage IDU Analytics recommends changes to permissions and membership in groups,
based on data usage patterns. You may accept these recommendations and manual changes
made by users at any time, and commit them to the environment. For example, you can commit
one or more manual changes that were made in the Work Area.

DatAdvantage enables you to manage changes and commit processes through the Change
Management and Commit window. You may commit changes and follow up on processes that are
committed or scheduled for commit. In addition, the Change Management and Commit window
enables you to perform the following:
• View pending or invalid changes
• Search for specific changes and commit processes
• View the prerequisites of changes prior to committing, scheduling or discarding
• Commit a single change or a bulk of changes
• Discard selected changes
• Run a commit process immediately or at a scheduled time
• View, edit, abort, cancel or roll back required processes
• View the progress and status of commit processes
• Export changes and processes to CSV
• Edit the displayed columns

Before committing changes, it is recommended to review their effects on the virtual environment.
To do so, ensure the system is synchronized (see Synchronizing Recommendations).

An email notification is sent when a commit process successfully completes or changes are rolled
back.

Note:
• You must have the Commit/Edit role to perform operations in the Change Management
and Commit window. Users with the Edit role can only view changes and commit
processes and discard changes.
• Commit processes are executed asynchronously.
• Changes on Exchange Online directories and files cannot be committed.

What Should Be Committed

DATADVANTAGE 6.3 USER GUIDE 103

Chapter 5     COMMON ACTIVITIES

Changes on Unix File Servers that Can Be Committed

Users
The following changes to users can be committed:

• Users can be added to or removed from local Unix groups

• Users can be added to or removed from LDAP groups
• Users can be added to or removed from NIS groups
• Unix groups cannot be added to other Unix groups

Important: Netgroups are not supported.

Permissions
The following changes to permissions can be committed:

• Changes to owner permissions

• Changes to group owner permissions
• Changes to other permissions
• Changes to UIDs
• Changes to GIDs
• Changes to sticky bits

Ownership
The following changes to ownership can be committed:

• Change owner
• Change group owner
• Change owner or group owner to one from an affiliated Unix domain

ACLs
The following changes to ACLs can be made:

• Extended users can be added

• ACLs can be changed for extended users
• Extended users can be removed
• Masks can be changed
• Group owner ACLs can be changed
• Extended users from affiliated Unix domains can be added

Changes on Windows File Servers that Can Be Committed

Group Membership
The following changes to group membership can be committed:
• Create new group
• Delete group
• Add member
• Remove member

DATADVANTAGE 6.3 USER GUIDE 104

Chapter 5     COMMON ACTIVITIES

Permissions
The following changes to permissions can be committed:

• Add permissions
• Remove permissions
• Change permissions
• Add and remove protection

Committing Changes on SharePoint File Servers

For SharePoint file servers, the user that is authorized to perform operations must have a
permission level that consists of at least the following permissions:
• Manage Permissions - Create and change permission levels on the Web site and assign
permissions to users and groups.

To perform Add Membership or Remove Membership operations for local SharePoint groups, the
commit user must be a member of the site collection's Administrators group.

For SharePoint Online and OneDrive, you can remove guest link permissions for Anonymous
Logon built-in groups.

Accessing the Change Management and Commit Window

DatAdvantage provides a number of ways to access the Change Management and Commit
window:
• Select Tools > Change Management (Commit).
• In the relevant pane (Directories or Users and Groups), right-click the relevant entity and select
one of the following:
• Change Management (Commit) > Pending changes. The Pending Changes tab in the
Change Management and Commit window is displayed, showing all changes that have not
yet been scheduled for commit on the entity or directory.
• Change Management (Commit) > Commit processes. The Processes tab in the Change
Management and Commit window is displayed, showing all scheduled and committed
changes on the entity or directory.

• In the Logs view, right-click the relevant entity and select Jump to Change Mgmt. and Commit.
The Processes tab in the Change Management and Commit window is displayed, showing all
scheduled and committed changes on the entity or directory.

DATADVANTAGE 6.3 USER GUIDE 105

Chapter 5     COMMON ACTIVITIES

Note: This option is only available for history of differences events. In addition, the user
must have Edit/Commit or Edit roles.

• Upon creation or deletion of a group, select the Commit these changes option on the last page
of the wizard. The Change Management and Commit window automatically opens and the
Start Commit Process dialog box is displayed.

Managing Pending Changes

The Pending Changes tab in the Change Management and Commit window displays all pending
changes made in DatAdvantage. These changes include all manual changes made by users as
well as those recommended by IDU Analytics.

The Pending Changes tab enables you to perform the following operations:
• Search for specific pending and invalid changes
• View a change's prerequisites prior to committing, scheduling or discarding
• Commit a single change or a bulk of changes
• Schedule the commit process
• Discard selected changes

Searching for Pending or Invalid Changes

Use the Pending Changes tab to view specific pending or invalid changes. You cannot commit
invalid changes. Changes can be invalid either due to inconsistent permissions or because the
object no longer exists (such as a group or directory that has been deleted).

To search for specific pending or invalid changes:

1. Open the Change Management and Commit window.

DATADVANTAGE 6.3 USER GUIDE 106

Chapter 5     COMMON ACTIVITIES

2. In the Search pane of the Pending Changes tab, enter any of the following information:
• From the File server drop-down list, select one of the following options:
• File server - Click the Browse button to locate the the file server to be added.
• Access path - Click the Browse button to locate the full path on which the changes
were made. Select the Include child objects option to include an entity's child objects
(subdirectories).
• From the Domain name/OU drop-down list, select one of the following options:
• Domain name/OU - Browse to locate the OU or relevant domain of the user, group or
trustee.
• User/group - Browse to locate the relevant user, group or trustee.
• Status - From the drop-down list, select one or both of the following options:
• Pending - Select to filter the results according to changes with a pending status.
• Invalid - Select to filter the results according to changes with an invalid status.
• Created by - Browse to locate the user who made the change.
• Create time - Set the date and time at which the change was made. Select the All Dates
option to apply all dates.

Note: For complete instructions on setting filters, see Advanced Searching.

3. To use advanced filters, click Advanced Filters and set the filters as required.
4. Click Search.
Changes that meet the specified search criteria are displayed in the grid.

Viewing Prerequisite Changes

You can view the prerequisites on which a change is dependent prior to committing, scheduling or
discarding the change.

Note: Keep in mind that committing or scheduling a change that is dependent on a

prerequisite includes committing or scheduling its prerequisites. Additionally, if you choose to

DATADVANTAGE 6.3 USER GUIDE 107

Chapter 5     COMMON ACTIVITIES

discard a prerequisite on which a change is dependent, the change and all of its dependent
changes are discarded.

To view prerequisite changes:

1. Open the Change Management and Commit window.

The Pending Changes tab displays all pending and invalid changes.
2. In the grid, locate the Pre-requisite Changes column. The Pre-requisites column displays
Commit and Discard links for viewing prerequisites.
3. To view the prerequisite(s) for a change, select the relevant link in the Pre-requisite Changes
column.
The Commit or Discard dialog box is displayed, listing the prerequisite(s) on which the
selected change is dependent.
The Commit dialog box provides a list of all changes that must be committed or scheduled in
order to commit the selected change.

The Discard dialog box provides a list of changes that will be discarded if the selected
change is discarded.

DATADVANTAGE 6.3 USER GUIDE 108

Chapter 5     COMMON ACTIVITIES

Committing Changes

You can select one or more pending changes to be committed in a commit process. The
changes included in the commit process can be committed immediately or scheduled for commit
at a defined time. Invalid changes, such as changes on entities that have been deleted, are
automatically excluded from the commit process.

If you choose to commit a change that is dependent on a prerequisite, the change and all
its prerequisites must be committed. These prerequisite changes are automatically added
when committing the change. You may choose to clear a selected change to exclude it and its
prerequisites from the commit process.

An email notification is sent when a commit process successfully completes or fails to complete.

Note: Editing in the Work Area is disabled until the selected changes are committed to the
database.

To commit pending changes:

1. Open the Change Management and Commit window.

DATADVANTAGE 6.3 USER GUIDE 109

Chapter 5     COMMON ACTIVITIES

The Pending Changes tab displays all pending and invalid changes.
2. In the Pending Changes tab, select the relevant change(s) in the grid and click Commit.
If you have selected one or more pending changes without prerequisites, the Start Commit
Process dialog box opens, prompting you to enter user credentials.

If you have selected pending changes with prerequisites, the Commit dialog box opens,
displaying the Pending + Pre-requisites tab.

DATADVANTAGE 6.3 USER GUIDE 110

Chapter 5     COMMON ACTIVITIES

Note: In both cases, if you have selected invalid changes, they are displayed in the
Excluded tab. All invalid changes will be excluded from the commit process.

3. To commit pending changes with prerequisites:

Note: If you have selected changes without prerequisites, continue with step 4.

a. In the Pending + Pre-requisites tab of the Commit dialog box, clear a selected change to
exclude the change and its prerequisites from this process.

Note: Prerequisites common to one or more changes are displayed under each
change.

b. To view all pending changes to be committed, select the Included tab.

c. To view all invalid changes to be excluded from the commit process, select the Excluded
tab.
d. Click Next.
The Start Commit Process dialog box is displayed.
4. To log in to the Commit engine:
a. Select one of the following:
• Enter a single set of credentials for all resources

DATADVANTAGE 6.3 USER GUIDE 111

Chapter 5     COMMON ACTIVITIES

Important: The user must have the appropriate credentials required to commit
the changes.

• User name - Type the relevant user name or browse to locate the required user.
• Password - Type the relevant password.
• Remember Password - Select to save the credentials for this commit process. This
option saves the credentials for each commit operator.
• Enter credentials per resource - For each resource, click the Enter credentials link and
enter the relevant user name and password.
b. Comment - Type a free-text comment in the field as necessary.
c. Send process report to - Select to send the process report to a recipient and then type
the recipient's email address in the field. You can enter the email of only one recipient or
distribution list.
5. Click Start.
A confirmation message is displayed, enabling you to switch to the Processes tab to view the
progress.

Scheduling Changes for Commit

You can schedule changes to be committed at a defined time.

To schedule changes for commit:

1. Open the Change Management and Commit window.

2. In the Pending Changes tab, select the relevant change(s) in the grid and click Schedule.
If you have selected one or more pending changes without prerequisites, the Start Schedule
Process dialog box opens, prompting you to schedule the commit process and enter user
credentials.

DATADVANTAGE 6.3 USER GUIDE 112

Chapter 5     COMMON ACTIVITIES

If you have selected pending changes with prerequisites, the Schedule dialog box opens,
displaying the Pending + Pre-requisites tab.

Note: In both cases, if you have selected invalid changes, they are displayed in the
Excluded tab. All invalid changes will be excluded from the commit process.

3. To schedule the commit process for changes with prerequisites:

Note: If you have selected changes without prerequisites, continue with step 4.

a. In the Pending + Pre-requisites tab of the Schedule dialog box, clear a selected change
to exclude the change and its prerequisites from this process.

DATADVANTAGE 6.3 USER GUIDE 113

Chapter 5     COMMON ACTIVITIES

Note: Prerequisites common to one or more changes are displayed under each
change.

b. To view all pending changes to be committed, select the Included tab.

c. To view all invalid changes to be excluded from the commit process, select the Excluded
tab.
d. Click Next.
The Start Schedule Process dialog box is displayed.
4. In the Start Schedule Process dialog box, select the required date and time from the
calendar.
5. To log in to the Commit engine:
a. Select one of the following:
• Enter a single set of credentials for all resources

Important: The user must have the appropriate credentials required to commit
the changes.

• User name - Type the relevant user name or browse to locate the required user.
• Password - Type the relevant password.
• Remember Password - Select to save the credentials for this commit process. This
option saves the credentials for each commit operator.
• Enter credentials per resource - For each resource, click the Enter credentials link and
enter the relevant user name and password.
b. Comment - Type a free-text comment in the field as necessary.
c. Send process report to - Select to send the process report to a recipient and then type
the recipient's email address in the field. You can enter the email of only one recipient or
distribution list.
6. Click Start.
A confirmation message is displayed, enabling you to switch to the Processes tab to view the
progress.

Discarding Changes

You can discard pending or invalid changes that are not required.

If you choose to discard a prerequisite on which a change is dependent, the change and all of its
dependent changes are discarded.

To discard pending or invalid changes:

1. Open the Change Management and Commit window.

DATADVANTAGE 6.3 USER GUIDE 114

Chapter 5     COMMON ACTIVITIES

The Pending Changes tab displays all pending and invalid changes.
2. In the Pending Changes tab, select the relevant change(s) in the grid and click Discard.
If you have selected one or more pending changes on which no other change is dependent,
the Discard dialog box opens, displaying the changes to be discarded.

If you have selected pending changes on which other changes are dependent, the Discard
dialog box displays the Pending + Pre-requisites tab.

DATADVANTAGE 6.3 USER GUIDE 115

Chapter 5     COMMON ACTIVITIES

3. To exclude a change and its dependent changes from being discarded, in the Pending + Pre-
requisites tab, clear a selected change. Prerequisites common to one or more changes are
displayed under each change.

Note: If you have selected changes on which no other change is dependent, continue
with step 4.

4. Click Start.
The selected changes are discarded.

Managing Commit Processes

The Processes tab in the Change Management and Commit window displays all changes that are
committed or scheduled for commit. This tab also displays failed and aborted processes. It enables
you to follow the progress of commit processes, perform actions, and view specific processes or
changes.

Additionally, the Processes tab enables you to perform the following operations:
• Search for specific scheduled or completed processes
• Edit a scheduled process
• Cancel a scheduled process
• Stop the commit process
• Roll back a commit process

You can expand or collapse rows in the grid as necessary. Expanding a row enables you to view
the changes included in the process. Certain changes may not be displayed due to filtering or
ownership limitations.

DATADVANTAGE 6.3 USER GUIDE 116

Chapter 5     COMMON ACTIVITIES

Searching for Commit Processes

Use the Processes tab to view processes that are committed or scheduled for commit. Each
commit process is assigned a unique ID, which can be used when searching for a specific process.

To search for specific commit processes:

1. Open the Change Management and Commit window.

2. Select the Processes tab.

The Processes tab is displayed, listing all processes that are committed or scheduled for
commit.

DATADVANTAGE 6.3 USER GUIDE 117

Chapter 5     COMMON ACTIVITIES

3. In the Search pane, enter any of the following information:

• From the drop-down list, select one of the following options:
• File server - Click the Browse button to locate the the file server to be added.
• Access path - Click the Browse button to locate the full path. Select the Include child
objects option to include an entity's child objects (subdirectories).
• From the Domain name/OU drop-down list, select one of the following options:
• Domain name/OU - Browse to locate the OU or relevant domain of the user, group or
trustee.
• User/group - Browse to locate the relevant user, group or trustee.
• Process Status - Select one or all of the following options:
• Scheduled - Select to filter the results according to processes that are scheduled for
commit.
• In process - Select to filter the results according to processes that are currently being
committed.
• Completed - Select to filter the results according to processes that have already been
committed.
• Aborting - Select to filter the results according to processes that are currently being
aborted.
• Aborted - Select to filter the results according to processes that have been aborted.
• Committed by - Browse to locate the user, group or trustee who committed the process.
• Schedule time - Set the date and time at which the process was scheduled. Select the All
Dates option to apply all dates.
• Process ID - Enter the unique ID of the commit process.

Note: For complete instructions on setting filters, see Advanced Searching.

4. To use advanced filters, click Advanced Filters and set the filters as required.
5. Click Search.
Processes that meet the specified search criteria are displayed in the grid.

Editing a Scheduled Process

You can edit a process that is scheduled for commit.

To edit a scheduled process:

1. Open the Change Management and Commit window.

DATADVANTAGE 6.3 USER GUIDE 118

Chapter 5     COMMON ACTIVITIES

2. Select the Processes tab.

The Processes tab is displayed, listing all processes that are committed or scheduled for
commit.

3. In the grid, select one or more pending processes that are scheduled for commit.

Tip: You can apply the Process status filter to view pending processes that are
scheduled for commit.

4. Click Edit Process.

The Modify Scheduled Process dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 119

Chapter 5     COMMON ACTIVITIES

5. Select the required date and time from the calendar.

6. To log in to the Commit engine:
a. Select one of the following:
• Enter a single set of credentials for all resources

Important: The user must have the appropriate credentials required to commit
the changes.

• User name - Type the relevant user name or browse to locate the required user.
• Password - Type the relevant password.
• Remember Password - Select to save the credentials for this commit process. This
option saves the credentials for each commit operator.
• Enter credentials per resource - For each resource, click the Enter credentials link and
enter the relevant user name and password.
b. Comment - Type a free-text comment in the field as necessary.
c. Send process report to - Select to send the process report to a recipient and then type
the recipient's email address in the field. You can enter the email of only one recipient or
distribution list.
d. Commit changes on folders with broken inheritance - Select to commit changes on
folders with broken inheritance.
Users without edit/commit permissions, or for users where this option was not configured
(via the Management Console), will not see this screen.

Note:

7. Click Start.
The selected process(es) are rescheduled according to the defined time.

DATADVANTAGE 6.3 USER GUIDE 120

Chapter 5     COMMON ACTIVITIES

Cancelling a Scheduled Process

You can cancel a process that is scheduled for commit.

Note: You cannot cancel a process that is currently running, or one that has been terminated
or committed. In order to cancel a running process, you must first terminate it. See Stopping
the Commit Process for instructions.

To cancel a scheduled commit process:

1. Access the Change Management and Commit window and select the Processes tab.
2. In the grid, select the scheduled process(es) to be cancelled.

Tip: You can apply the Process status filter to view scheduled processes only.

3. Click Cancel Schedule.

A confirmation message is displayed, asking you to confirm the cancellation.
4. Click Yes.
The selected process(es) are cancelled.

Stopping the Commit Process

To stop the commit process before it is completed:

Note: For instructions on cancelling scheduled commit operations that are still pending, see
Cancelling a Scheduled Process.

1. Access the Change Management and Commit window and select the Processes tab.
2. Select the required process and click Terminate.
A confirmation message is displayed.

3. Set the following as necessary:

• Roll back committed changes - Select to reject committed changes.
• Send report to - Select to send the rollback process report to a recipient and then type the
recipient's email address in the field.

DATADVANTAGE 6.3 USER GUIDE 121

Chapter 5     COMMON ACTIVITIES

Note: This option is available only if a mail recipient was not selected during commit.
If a mail recipient was previously selected, the report will automatically be sent to that
recipient.

4. Click OK. A confirmation message is displayed. The process is marked as Aborted in the
Processes tab.
If you have selected to roll back committed changes, a rollback process is initiated for
successfully committed changes and a report is sent to the recipient by email.

Rejecting Changes

You can reject or roll back changes that have already been committed. The rollback process can
only be performed for terminated or completed processes that have not yet been rolled back. For
a list of DatAdvantage operations that can be rolled back, see Supported Rollback Operations.

An email notification is sent when changes are successfully rolled back.

Important: The rollback reverses changes and may not restore permissions to their original
state.

To reject changes:

1. Access the Change Management and Commit window and select the Processes tab.
2. Select the required process and click Rollback.
The Rollback dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 122

Chapter 5     COMMON ACTIVITIES

3. To log in to the Commit engine:

a. Select one of the following:
• Enter a single set of credentials for all resources
• User name - Type the relevant user name or browse to locate the required user.
• Password - Type the relevant password.
• Remember Password - Select to save the credentials for this commit process. This
option saves the credentials for each commit operator.
• Enter credentials per resource - For each resource, click the Enter credentials link and
enter the relevant user name and password.
b. Comment - Type a free-text comment in the field as necessary.
c. Send process report to - Select to send the process report to a recipient and then type
the recipient's email address in the field. You can enter the email of only one recipient or
distribution list.

Note: If a mail recipient was already selected during commit, this field is populated
with the recipient's email address.

4. Click Start.
A confirmation message displays the rollback process ID.
5. Click OK.
The selected change(s) are rejected and a report is sent to the recipient by email.

Supported Rollback Operations

You can roll back the following DatAdvantage operations:
• Group membership changes
• Group member added
• Group member removed
• Group member edited
• Permission changes (SharePoint, Exchange, CIFS and NFS)
• Permission added
• Permission removed
• Permission edited
• Group created

Note:
• The rollback process can only be performed for terminated or completed commit
processes that have not yet been rolled back.
• The rollback reverses changes and may not restore permissions to their original state.

Exporting Changes and Processes to CSV

You can export all changes and processes displayed in the Pending Changes and Processes tabs
to a CSV file.

DATADVANTAGE 6.3 USER GUIDE 123

Chapter 5     COMMON ACTIVITIES

Note: This action exports all changes and processes that were filtered for display (and not
the items that were selected in the grid).

To export the displayed changes or processes to CSV:

1. Open the Change Management and Commit window and select the relevant tab.

2. Click Export to CSV and select the required export path.

3. Click Save.

Editing the Displayed Columns

You can add or remove columns for display in the Pending Changes and Processes tabs.

To edit the displayed columns:

1. Open the Change Management and Commit window and select the relevant tab.

2. Click Edit Columns.

DATADVANTAGE 6.3 USER GUIDE 124

Chapter 5     COMMON ACTIVITIES

The Edit Columns dialog box is displayed.

3. Select the required columns from the Available Columns pane on the left, and click the right
arrow to move them into the Selected Columns list.

Note: For a complete list of columns that can be included in the Pending Changes and
Processes tabs, see Change Management and Commit Columns.

4. Use the Up and Down buttons to arrange the order in which the columns are displayed.
5. To restore the default set of columns, click Reset.
6. Click OK.
The selected columns are added to the grid.

Change Management and Commit Columns

You can customize which columns are included in the Pending Changes and Processes tabs (for
more information, see Editing the Displayed Columns).

You can also change the order in which the columns are displayed, sort columns, and group
columns as required. For more information, see Working with Lists and Tables.

The following table describes all columns that can be included in the Pending Changes tab:

Column Name Description

Created By The display and domain name of the user who made the
change, or IDU Analytics.

Created By (SAM Account The domain and SAM account name of the user who
Name) made the change, or IDU Analytics.

DATADVANTAGE 6.3 USER GUIDE 125

Chapter 5     COMMON ACTIVITIES

Column Name Description

Create Time The date and time at which the change was made. The
time format is displayed in accordance with the IDU
Server's local settings.

Change Source The source of the change, which can be:

• User edited - User changes
• IDU analytics - Recommendations by IDU Analytics

Description A detailed description of the change.

Error/Info The reason why the change is invalid.

File Server The name of the file server on which the change was
made.

Last Process ID The unique identifier of the last process which included
the change. This is relevant only for invalid changes or
changes that could not be committed.

Member/Trustee The display and domain name of the member or trustee

(for membership or permission changes).

Member/Trustee (SAM The domain and SAM account name (in the format
Account Name) Domain\SAM Account Name) of the member or trustee
(for membership or permission changes).

Object The name of the object on which the change was made.
The type of object displayed in this column can be one
of the following:
• File
• Folder
• Group (in the format Display Name (Domain))
• User (in the format Display Name (Domain))
• Computer (in the format Display Name (Domain))

Object Path The pathname of the object that was changed.

Pre-requisite Changes One of the following:

• None
• Discard - A list of changes that will be discarded if
the selected change is discarded.
• Commit - A list of all changes that must be
committed or scheduled in order to commit the
selected change.

DATADVANTAGE 6.3 USER GUIDE 126

Chapter 5     COMMON ACTIVITIES

Column Name Description

Status The status of the change, which can be:

• Pending
• Invalid

The following table describes all columns that can be included in the Processes tab:

Column Name Description

Comment The free-text comment entered by the user who

committed the change(s) in the process.

Committed By The name of the user (in the format Domain

\DisplayName) who performed the commit operation.

Committed By (SAM The name of the user (in the format Domain\SAM
Account Name) Account Name) who performed the commit operation.

Commit Time The date and time at which the commit action was
executed by the user. The time format is displayed in
accordance with the IDU Server's local settings.

Complete Time The date and time at which the commit process was
completed (i.e., all changes included in the process
were committed by the system). The time format is
displayed in accordance with the IDU Server's local
settings.

Duration The duration of the commit process.

Number of Changes The number of changes included in the commit process.

Original Process ID The unique identifier of the original process which was
rolled back or is in the process of being rolled back.
This ID is displayed only if a commit process was rolled
back.

Rollback Process ID The unique identifier of the rollback process. This ID is

displayed only if a commit process was rolled back.

DATADVANTAGE 6.3 USER GUIDE 127

Chapter 5     COMMON ACTIVITIES

Column Name Description

Run Start Time The date and time at which the commit process was
executed by the system (i.e., the time at which the first
change in the process was committed). The time format
is displayed in accordance with the IDU Server's local
settings.

Schedule Time The date and time at which the commit process was
scheduled. The time format is displayed in accordance
with the IDU Server's local settings.

Status The status of the process, which can be:

• Scheduled
• In process
• Completed
• Aborting
• Aborted

Archiving Events, Statistics and Committed Processes

The Archive option on the Tools menu enables administrators to archive events, statistics and
committed processes. Events and statistics can be archived for each monitored file server. This
helps reduce the size of the active database. However, historical data that has been archived is
unavailable for online viewing, so this option should only be used for data that is not accessed
regularly.

When events are archived, they are placed into a ZIP file and moved to a directory whose name
includes the name of the file server. For example, a file server named netapp4 would archive to a
directory named Archive_netapp4 under the Varonis directory, whose location is defined during
installation. These directories can be included in a normal backup schedule.

Selecting Events, Statistics and Committed Processes

The Archive window enables you to choose the file server containing the events or statistics to be
archived, as well as a timeframe for the data. You can also choose to archive processes that have
been committed. Note that you cannot select a file server for committed processes.

To select events, statistics and committed processes:

1. Select Tools > Archive.

The Archive window is displayed.

DATADVANTAGE 6.3 USER GUIDE 128

Chapter 5     COMMON ACTIVITIES

2. From the Archive type drop-down list, select one of the following options:
• Events
• Statistics
• Commit
3. From the File server drop-down list, select the file server containing the events or statistics to
be archived.

Note: You cannot select a file server for committed processes.

4. Set the timeframe for the data to be retrieved:

a. In the From field, click the arrow, and select the beginning date of the timeframe from the
calendar.
b. In the To field, click the arrow, and select the ending date of the timeframe from the
calendar.
5. Click Search.
The tables are listed in the results pane. The Archive Status column displays the status of
each table.

DATADVANTAGE 6.3 USER GUIDE 129

Chapter 5     COMMON ACTIVITIES

6. To change the operation for a particular event from Archive to Cancel Archive, click the
button for the event in the Operation column.
7. Click OK.

Archiving Events, Statistics and Committed Processes

To archive events, statistics and committed processes:

1. Locate the tables to be archived by entering the relevant search criteria. For instructions on
setting search criteria, see Selecting Events, Statistics and Committed Processes.
2. Click Search.
3. Click the action button in the Archive column to set their status to Pending archive.
4. Click Run Now.
The CIFS events, statistics or commit processes for that day are archived, and the table's
status becomes Archived.

Restoring Archived Data

To restore archived data:

1. Locate the tables to be restored by entering the relevant search criteria. For instructions on
setting search criteria, see Selecting Events, Statistics and Committed Processes.
2. Click Search.
3. Click the Restore/Delete action button in the Archive column.
4. From the popup menu, select Restore to set the tables' status to Pending restore.
5. Click Run Now.
The data is restored, and the table's status becomes Active.

DATADVANTAGE 6.3 USER GUIDE 130

Chapter 5     COMMON ACTIVITIES

Restoring Data Per User

This feature provides the ability to restore archived data of a file server or multiple file servers at
once of a specific time range per single user.

For example, if User A is suspected of having deleted a file three years ago, it is possible to
restore back to the database (SQL Server) only those events created by User A, (excluding all the
events for all users for the past three years). The search period will be limited to seven years.

The data that already exists in the original archive file will remain intact.

To restore data per user:

1. Select Tools > Archive.

The Archive window is displayed.

2. Click Advanced Restore.

The Restore Data per User window is displayed.

DATADVANTAGE 6.3 USER GUIDE 131

Chapter 5     COMMON ACTIVITIES

3. Do as follows:
a. File Servers - Select one or more file servers.
b. Specific Entities - Select all users or restrict the scope to a single user. If you select the
single user option, select that user from the Directory Services Search dialog box (you
can select up to 50 users).
c. Dates - Select the date range of the archives to be restored (the default is a month earlier
than 180 days ago).

Note: The date picker is not limited to only seven years back. If there are events
archived for a period longer than seven years, those will also be restored unless the
customer has SQL storage limitations.

d. Archive Type - Select the relevant archive type (events or statistics) to restore. Note that
all types are selected by default.
e. Reset button ( )- Sets the filters to the following state:
• File Server – Clears the servers that were selected.
• Entities – Selects all users.
• Dates - The last month relative to the current date.
• Archive Type - Selects all checkboxes (all types).
4. Click Search.
The search results are displayed at the bottom in the results grid.

DATADVANTAGE 6.3 USER GUIDE 132

Chapter 5     COMMON ACTIVITIES

5. Each row in the table displays all data for the date range for the server/specific user per
archive type. Refer to the following:
• User Name - The user's name; this column is changed dynamically based on the selected
search filter.
• If all users and folders were selected – All users is displayed.
• If specific users were selected– the domain/user name is displayed.
• File Server – The file server's name as it is displayed in DatAdvantage.
• File Server Type – The file server's type as it is displayed in DatAdvantage.
• Archive Status – The table's status; this column can have Archived, Pending Restore or
Mixed statuses. The Mixed status is displayed if some of the days are in Archived status
and some with Pending Restore status.
• Archive Type - Displays events and/or statistics.
• Archive Period - The date range of the archive. The first and last dates that data exists for
this server or specific user will define the displayed range.
• Status Details – Displays details of the various archive statuses.
6. Select the files to restore and click the Restore Now button above the table. The files are
restored.
7. Schedule for Restore - The files are restored on the next run of the weekly table maintenance
job.

Note: The data will not be deleted from the original archive file. It will be re-archived
after the extraction of the selected data.

DATADVANTAGE 6.3 USER GUIDE 133

Chapter 5     COMMON ACTIVITIES

Deleting Archived Data

Once an object has been deleted it cannot be restored.
To delete archived data:

1. Locate the tables to be deleted by entering the relevant search criteria. For instructions on
setting search criteria, see Selecting Events, Statistics and Committed Processes.
2. Click Search.
3. Click the Restore/Delete action button in the Archive column.
4. From the popup menu, select Delete to set the tables' status to Pending delete.
5. Click Run Now.
The data is deleted.

Managing IDU Servers

DatAdvantage enables you to connect to various monitored IDU Servers. Use this option if you
have several IDU Servers in your organization, in order to define connection parameters for each
server and switch between them.

Adding IDU Connections

To add a connection to an IDU:

1. Select Tools > Select IDU Server.

The IDU Server Selection dialog box is displayed.

2. Click Servers.
The IDU Server Editor dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 134

Chapter 5     COMMON ACTIVITIES

3. To add another IDU Server to the list:

a. Click Add.
The Server Information dialog box is displayed.

b. Set the following:

• IDU Server address - Type the name or IP Address of the IDU Server to be added.
• Port number - Type the port number to which the IDU Server listens.
c. Click OK.
The IDU Server is added to the list.

Removing IDU Connections

To delete an IDU connection:

1. Select Tools > Select IDU Server.

The IDU Server Selection dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 135

Chapter 5     COMMON ACTIVITIES

2. Click Servers.
The IDU Server Editor dialog box is displayed.

3. From the list, select the IDU to be removed. You cannot remove the currently active IDU.
4. Click Remove.

Configuring Dictionaries
One way to create and update a rule efficiently is to define a dictionary of the terms you want your
rule to search. You can define as many dictionaries as you want.

Use dictionaries with the following guidelines in mind:

• Dictionaries containing fewer than 50,000 records, with three characters or more per record,
are the most effective (dictionaries are limited to a total of 60,000 entries).

Note: These numbers are recommendations. You can define dictionaries with more
records (up to 60,000), or with shorter records, but they may classify your data less
effectively.

• You can schedule a job that automatically uploads and updates dictionaries.
• Dictionaries may be selected as conditions within rules, which means they may be used as
part of a complex boolean expression (different dictionaries combined with strings and regular
expressions.)

DATADVANTAGE 6.3 USER GUIDE 136

Chapter 5     COMMON ACTIVITIES

Dictionaries are encrypted in the database using a Triple DES-based symmetric encryption system.

To configure a dictionary:

1. Select Tools > Dictionaries.

The Dictionaries window is displayed.

2. Select the Dictionaries tab.

The existing dictionaries are displayed.

Adding Dictionaries
To add a new dictionary:

1. Access the Dictionaries window.

2. Click Add.
The New Dictionary window is displayed.

DATADVANTAGE 6.3 USER GUIDE 137

Chapter 5     COMMON ACTIVITIES

3. Set the following parameters:

• Name - Type a free-text name for the dictionary.
• Description - Type a free-text description of the dictionary.
• Source file - Click the Browse button to select a CSV file containing the required dictionary
entries, and select one of the following options:
• Add entries from the selected file to the existing list - Select to append the contents of
the CSV file to the existing list.
• Override all existing entries with the contents of the selected file - Select to completely
overwrite the existing list.
• Use the file contents during automatic updates - Select to instruct the DCF to use the
contents of the chosen file when applying automatic updates to the dictionary.
4. To add an entry to the dictionary manually:
a. Click the green plus sign .
The New Entry dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 138

Chapter 5     COMMON ACTIVITIES

b. Type the term you want to add to the dictionary. For example, type ini if you want to
define a rule to be run on all files of the INI type.
c. Click OK.
The term is added to the dictionary list, along with the following additional information:
• Entry - The term itself.
• Enabled - Indicates whether the term is enabled in the dictionary. Terms that are
disabled are not included in the classification process.
• Modified Date - The date on which the term was last modified.
• Source - Indicates whether the term comes from a predefined dictionary or is user-
defined.
5. To edit a term:

Note: Only user-defined terms can be edited.

a. In the Edit Dictionary dialog box, select the term to be edited.

b. Click Edit Entry, or right-click and select Edit Entry from the context menu.
6. To enable a disabled entry:
a. In the Edit Dictionary dialog box, select the term to be enabled.
b. Click the green check mark , or right-click and select Enable Entry from the context
menu.
7. To disable an enabled entry:
a. In the Edit Dictionary dialog box, select the term to be disabled.
b. Click the red disable sign , or right-click and select Disable Entry from the context
menu.
8. To remove a term from the dictionary:

Note: Only user-defined terms can be removed.

a. In the Edit Dictionary dialog box, select the term to be removed from the dictionary list.
b. Click the red , or right-click and select Delete Entry from the context menu.

Editing Dictionaries
To edit an existing dictionary:

1. Access the Dictionaries window.

2. Select the row of the dictionary you want to edit.
3. Click Edit Dictionary, or right-click and select Edit Dictionary from the context menu.

DATADVANTAGE 6.3 USER GUIDE 139

Chapter 5     COMMON ACTIVITIES

4. Edit the dictionary as necessary.

5. To restore the dictionary's original, predefined entries, click Restore.

Note: This action is only available for predefined dictionaries.

Cloning Dictionaries
To clone an existing dictionary and all its entries:

1. Access the Dictionaries window.

2. Select the row of the dictionary you want to clone.
3. Click Clone Dictionary, or right-click and select Clone Dictionary from the context menu.
The dictionary is cloned and appears in the list with the word Copy appended to its name.
4. Edit the cloned dictionary as necessary.

Removing Dictionaries
When you remove a dictionary, all the rules that include this dictionary in their conditions are
erased along with all matching file results. However, the data that is erased is maintained in history
(the amount of time history is maintained depends on the organization's retention policy).

To remove a dictionary:

1. Access the Dictionaries window.

2. On the Dictionaries tab, select the rows of the dictionaries you want to remove.

Note: If your selection includes at least one predefined dictionary (indicated by a lock
icon), the Remove button is disabled.

3.
Click the red , or right-click and select Delete Dictionary.

Setting Entities as Monitored or Unmonitored

When a file system is monitored by DatAdvantage, all the folders it contains are automatically
monitored. In addition, all the users in Active Directory are automatically monitored.

However, collection of data for so many users across an entire file system can result in a
good deal of needless overhead in terms of storage space and licensing costs. Therefore,
DatAdvantage enables you to select users and folders you do not want to monitor and remove
them from DatAdvantage storage, either temporarily or permanently.

The lists of unmonitored users and folders are easily configurable and can be changed on the fly,
both through the Configuration window and during daily work in DatAdvantage (see Configuring
Unmonitored Folders and Configuring Unmonitored Users).

Note: If you make a change to resume monitoring an unmonitored entity, the change
takes effect either after the nightly run of ADWalk and PullWalk, or after these jobs are run
manually.

DATADVANTAGE 6.3 USER GUIDE 140

Chapter 5     COMMON ACTIVITIES

For directory service objects, the icon does not change when an object's monitoring status is
changed.

To set an entity as monitored or unmonitored:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Monitor or Stop Monitoring,
as relevant.

Note: The available options depend on the current state of the entity. If an entity is
currently monitored, the only available option is Stop Monitoring. If the entity is not
currently being monitored, the only available option is Monitor. However, both the
Monitor and the Stop Monitoring options may be available for a group if the group
contains both monitored and unmonitored users.

• If you set an entity as unmonitored, it is automatically added to the Unmonitored list

available in the configuration window.
• If you set an entity as monitored, it is automatically removed from the Unmonitored list.
However, you must refresh the entity list to see it in the current view.

Attention: Setting an object as unmonitored filters out all the object's events, and future
events are not collected, This means the recommendations that IDU Analytics makes for
this object may be inaccurate.

Using Follow-up Indicators

You can set flags, tags and notes on entities requiring follow-up. You can also set flags and tags to
be inherited from their parent objects.

Configuring Follow-up Indicators

When defining flags and tags, keep the following in mind:
• Several flags can have the same name, but they must be assigned different colors.
• Several flags can be assigned the same color, but they must have different names.
• Tags can be assigned only one color, but the color can be changed.

To configure flags and tags:

1. Select Tools > Follow Up.

DATADVANTAGE 6.3 USER GUIDE 141

Chapter 5     COMMON ACTIVITIES

2. In the Flags area, configure flags as follows:

a. To add a flag, click Add.
A new row is added to the Flags grid.
a. To change a flag's name, click it and type the required name. The name is limited to 50
characters.
b. To change a flag's type to either Global or Personal, click the down arrow and select the
required option.

Note: This is only possible if the administrator has enabled global flags through the
Management Console.

c. To change a flag's color, click the Browse button to open the color palette and select the
required color.
d. To remove a flag, select its checkbox and click Remove.

Note: This action removes the selected flags from all the entities to which they are
assigned.

3. In the Tags area, configure tags as follows:

a. To add a tag, click Add.
A new row is added to the Tags grid.
b. To change a tag's name, click it and type the required name. The name is limited to 50
characters.
4. In the Tag Color area, click the Browse button to change the color of tags as required.
5. Click OK.

DATADVANTAGE 6.3 USER GUIDE 142

Chapter 5     COMMON ACTIVITIES

Uploading Follow-Up Indicators

To streamline work with follow-up indicators, you can upload a CSV file containing all the data
required to define flags and tags in a bulk operation.

In addition to adding new tags and global flags, you can use this procedure to convert existing
personal flags to global flags, detach flags and tags from objects, and change the color of a flag or
tag.

The following users can perform this activity:

• System administrator
• Enterprise manager
• Configuration user

To upload follow-up indicators:

1. Select Tools > Upload Follow-up Indicators.

2. Select the prepared CSV file to be uploaded.
The file is uploaded and the flags and tags are created.

DATADVANTAGE 6.3 USER GUIDE 143

Chapter 5     COMMON ACTIVITIES

Preparing the CSV File to Upload Follow-up Indicators

The CSV file for uploading follow-up indicators can contain two types of rows:
• Definition of flags and tags - Use to identify the flag/tag, as well as the action to be performed
• Definition of assigned objects - Use to identify the objects to which flags and tags are attached

Definition of Flags and Tags

Rows defining flags and tags must have the following structure:

<Follow-up Flag/Tag>,<Flag/Tag Action>,

<Flag/Tag Name>,<Old Flag Type>,
<Flag Created By>,<Old Flag Color>,
<New Flag Color>

Fields that are not required for a particular action can be empty.

Field Valid Values Default if Field is Empty

Follow-up • TAG - Tag This field cannot be empty

Object Type • FLAG - Flag

Flag/Tag • NEW - Add new flag/tag. This field cannot be empty

Action • ATTACH - Attach existing flag/tag to entities described in the following rows.
• DETACH - Detach existing flag/tag from entities described in the following rows.
• CHANGE_COLOR - Update the color of a flag. Only a user with permissions to
global flags can change the color of a global flag. Any user can change the color of
a personal flag.
• MAKE_GLOBAL - Make an existing flag global.

DATADVANTAGE 6.3 USER GUIDE 144

Chapter 5     COMMON ACTIVITIES

Field Valid Values Default if Field is Empty

Flag/Tag Free Text - Name of flag/tag This field cannot be empty

Name

DATADVANTAGE 6.3 USER GUIDE 145

Chapter 5     COMMON ACTIVITIES

Field Valid Values Default if Field is Empty

Old Flag Only for flags. GLOBAL

Type
Specify flag type to identify the flag for ATTACH, DETACH, CHANGE_COLOR and
MAKE_GLOBAL operations.

Options are:

• GLOBAL
• PERSONAL

Flag Created • Domain users and groups: Domain Name/SAM Account Name • CHANGE_COLOR - If more than one flag
By • Local SharePoint users and groups: Domain\user exists, an error occurs.
• MAKE_GLOBAL - All flags with the flag
Note: This does not have to be the user uploading the file. name and type are converted into a
single global flag.
Only for personal flags. • Existing personal flags are deleted.
Specify the user that created the flag for ATTACH, DETACH, CHANGE_COLOR and • ATTACH - If more than one flag exists, an
MAKE_GLOBAL operations. error occurs.
• DETACH - If more than one flag exists, an
error occurs.

Old Flag Only for flags. Specify the previous flag color to identify the flag for ATTACH, DETACH, • CHANGE_COLOR - If more than one flag
Color CHANGE_COLOR and MAKE_GLOBAL operations. exists, an error occurs.
• MAKE_GLOBAL - All flags with the flag
name and type are converted into a
single global flag.
• Existing personal flags are deleted.

DATADVANTAGE 6.3 USER GUIDE 146

Chapter 5     COMMON ACTIVITIES

Field Valid Values Default if Field is Empty

• ATTACH - If more than one flag exists, an

error occurs.
• DETACH - If more than one flag exists, an
error occurs.

New Flag Mandatory in the NEW and CHANGE_COLOR operations. When a new flag is created and no color is
Color assigned, an error occurs.

If the parameter is passed in the ATTACH/

DETACH operation, it is ignored.

Definition of Assigned Objects

Rows defining assigned objects must have the following structure:

<Object Type>,<File Server Name>,

<Access Path/User/Group>,<Inherited>

DATADVANTAGE 6.3 USER GUIDE 147

Chapter 5     COMMON ACTIVITIES

Fields that are not required for a particular action can be empty.

Field Contents Default if Field is Empty

Object Type • DIR - File or folder from the directory tree This field cannot be empty
• DIR_LOGICAL - Logical path to file or folder from the directory tree
• DIR_DFS - DFS path to File or folder from the directory tree
• USER - User
• GROUP-group

File Server For directories and files, the name of the file server on which the object resides. None
Name

Access Path/ Object to assign the flag/tag to, or logical path/DFS path/physical path/user/group This field cannot be empty
User/Group name according to the File Server Name parameter.

Users and groups must have the following format:

• Domain users and groups: Domain Name/SAM Account Name
• Local SharePoint users and groups: Domain\user

Inherited Y/N No need to enter this for files.

For folders, the default is N.

DATADVANTAGE 6.3 USER GUIDE 148

Chapter 5     COMMON ACTIVITIES

Sample Use Cases

Action Example Comments

New Tag TAG,NEW,My Tag

New Global FLAG ,NEW,MyGlobalFlag,,,,#FF0000 • Personal flags can only be added

Flag through the UI.
• A color must be specified for the flag.

Change color FLAG,CHANGE_COLOR,MyPersonalFlag, PERSONAL,Varonis\lheman,,,#FF0000 • The color is in hexadecimal format.

personal flag

Change color FLAG,CHANGE_COLOR,MyFlag,,,#005500,#FF0000 • Use the color to identify the flag if there
global flag 1 are two global flags with the same name.
with old color • The color is in hexadecimal format.
to identify the
flag

Change color FLAG,CHANGE_COLOR,MyFlag,,,,#005500

global flag 2

Make global FLAG,MAKE_GLOBAL, MyFlag ,PERSONAL,,#005500 Merges personal flags with the same name
action and color into a single global flag.

If a global flag already exists with this name

and color, the personal flag is replaced by
the existing global flag.

DATADVANTAGE 6.3 USER GUIDE 149

Chapter 5     COMMON ACTIVITIES

Action Example Comments

Make global FLAG,MAKE_GLOBAL,MyFlag, PERSONAL,Varonis\lheman Converts a personal flag to a global flag.

action • If more than one flag exists with this
name for this user, an error is returned.
• If a global flag already exists with this
name and color, the personal flag is
replaced by the existing global flag.

Attach tag to • TAG,ATTACH,MyTag The tag is added to the group and the two
objects (Tag/ • USER,, PM-LAB.COM\MyUser paths.
Flag row) • GROUP,, PM-LAB.COM\MyGroup
• DIR,PM-LAB-DV1,C:/Lila,Y

Attach flag to • FLAG,ATTACH,MyGlobalFlag Attaches a global flag to the specified

objects (Tag/ • USER,, PM-LAB.COM\MyUser objects.
Flag row) • GROUP,, PM-LAB.COM\MyGroup
If there is more than one global flag with this
• DIR,PM-LAB-DV1,C:/Lila,Y
name, an error is returned.

Attach flag to • FLAG,ATTACH,MyPersonalFlag,PERSONAL Attaches a personal flag to the specified

objects (Tag/ • USER,, PM-LAB.COM\MyUser objects. If there is more than one personal
Flag row) • GROUP,, PM-LAB.COM\MyGroup flag with this name, an error is returned.
• DIR,PM-LAB-DV1,C:/Lila,Y

Attach flag to • FLAG,ATTACH, MyPersonalFlag, PERSONAL,Varonis\lherman Attaches a personal flag to the specified
objects (Tag/ • USER,, PM-LAB.COM\MyUser objects. If there is more than one personal
Flag row) • DIR,PM-LAB-DV1,C:/Lila,Y flag with this name and created by this user,
an error is returned.

DATADVANTAGE 6.3 USER GUIDE 150

Chapter 5     COMMON ACTIVITIES

Action Example Comments

The flag is added to the group and both

paths.

Detach flags • FLAG, DETACH, MyPersonalFlag, PERSONAL,Varonis\lherman ,#005500 Detaches a personal flag from the specified
from objects • DIR,PM-LAB-DV1,C:/Lila,Y objects. Specify the flag's color to identify it.
(Tag/Flag
row)

Detach tag • TAG, DETACH,MyTag

from object • USER,, PM-LAB.COM\MyUser
• GROUP,, PM-LAB.COM\MyGroup
• DIR,PM-LAB-DV1,C:/Lila,Y

Example
TAG,NEW,My Tag
TAG,ATTACH,My Tag
DIR,PM-LAB-DV1,C:/Lila,Y
FLAG,NEW,My Flag1,,,,#FF0000
FLAG,ATTACH,MY Flag1
DIR,PM-LAB-DV1,C:/Lila,Y
USER,,PM-LAB.COM/MyUser
FLAG,My Flag1,PERSONAL,Varonis/Lila
DIR,,PM-LAB-DV1,C:/Lila,Y
FLAG,ATTACH,My Flag,PERSONAL
DIR,PM-LAB-DV1,C:/Lila,Y
FLAG,MAKE_GLOBAL,MyFlag,PERSONAL,Varonis/Lila
FLAG,MAKE_GLOBAL,MyFlag,PERSONAL
FLAG,MAKE_GLOBAL,MyFlag,PERSONAL,,#FF0000
FLAG,CHANGE_COLOR,MyFlag,PERSONAL,,#FF0000,#005500
FLAG,CHANGE_COLOR,MyFlag,PERSONAL,,,#005500

DATADVANTAGE 6.3 USER GUIDE 151

Chapter 5     COMMON ACTIVITIES

Clearing Follow-Up Indicators

This procedure describes how to clear all follow-up indicators on a specific entity. Do as follows:

1. Select the relevant view.

2. Locate the required entity.
3. To clear all follow-up indicators to entities attached by other DatAdvantage users, right-
click the selected entity, and from the context menu, and select Follow Up > Clear All Users'
Follow-Up Indicators.

All other users' follow-up indicators (tags, global flags, and notes) that were set on that entity
are cleared.

Note: This option is displayed only if the user is defined as an Enterprise Manager.

4. To clear all your own follow-up indicators on a specific entity, right-click the entity, and from
the context menu, and select Follow Up > Clear All My Follow-Up Indicators.
All your follow-up indicators that were set on that entity are cleared.

Managing Flags
Flags can be defined as personal, for only the specific user who implements them, or as global, for
all users. Flags can be used in searches and filters, but only global flags may be used in report and
log filters.

Only users specified by the administrator can create new global flags. Other users are free to
attach global flags to the entities they are interested in.

DATADVANTAGE 6.3 USER GUIDE 152

Chapter 5     COMMON ACTIVITIES

If a global flag is changed to personal or deleted, it becomes a personal flag for all other users that
have implemented it.

If a personal flag is changed to global, all users will see all instances of it.

Multiple flags of each type (global and personal) can be set on a single entity.

Attaching Follow-up Flags to Entities

To attach a follow-up flag to an entity:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up.
4. From the submenu, select the relevant flag.
The relevant icon is displayed to the left of the entity.

5. Select the relevant inheritance option from the flag's submenu:

• Apply to this object only
• Apply to all child objects

Note: If a flag is set to only the current object and you want to apply it to the child
objects, you must first clear the flag from the current object and then reapply it to all
child objects.

6. To set a defined flag that does not appear in the list, select More from the submenu.
The Manage Flags dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 153

Chapter 5     COMMON ACTIVITIES

7. Select the flags to be attached to the entity.

8. Click OK.
The flag's icon is displayed to the left of the entity.

Inheriting Flags

If a flag is set to only the current object and you want to apply it to the child objects, you must first
clear the flag from the current object and then reapply it to all child objects.

This option is not relevant for virtual groups. Since users cannot be added to virtual groups,
such groups cannot have child objects; therefore, such inheritance is not relevant. Virtual groups
include: Everyone, ANONYMOUS, LOGON, Authenticated Users, Terminal Server Users, Other,
Default.

To set a flag to be inherited by an entity's child objects:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up.
4. Select Flags from the submenu.

DATADVANTAGE 6.3 USER GUIDE 154

Chapter 5     COMMON ACTIVITIES

5. Select More from the submenu.

The Manage Flags dialog box is displayed.

6. On the Manage Flags dialog box, select the Inherited checkbox for that flag.
7. Click OK. The flag is now inherited by the current object's child objects.

Clearing Inheritance on Entities

Flags that are inherited from parent objects to which the flags are still attached cannot be cleared.

To clear inheritances on an entity:

1. Select the relevant view.

2. Right-click the relevant entity, and from the context menu, select Follow up.
3. Select Clear All Follow-Up Icons. All the flags that were set on that entity and inherited by its
child entities are cleared.

Clearing Global and Personal Flags

This procedure describes how users can clear their global and personal flags. Additionally, users
assigned to the Enterprise Manager role can clear global flags to entities attached by other
DatAdvantage users.

To clear a follow-up flag from an entity:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up > Flags.
4. From the submenu, select the flag (it should be set). The flag is cleared.
5. To clear a defined flag that does not appear in the list, right-click the selected entity, and from
the context menu, select Follow Up > Flags > More.
The Manage Flags dialog box is displayed.
6. Select the flags to be cleared from the entity.

DATADVANTAGE 6.3 USER GUIDE 155

Chapter 5     COMMON ACTIVITIES

Note:
• Users assigned to the Enterprise Manager role will see their flags (personal and
global) and other users' global flags.
• Users not assigned to the Enterprise Manager role will see their flags (personal and
global) and other users' global flags.

a. To select specific flags, select the checkbox to the left of the flag.
b. To select all flags, click the Select All button.
c. To uncheck all flags, click the Clear All button.

7. Click OK.

Managing Tags
Tags are keywords or terms that help describe the selected entity. Tags are always global, and
can be used in searches and filters. They cannot be deleted.

Multiple tags can be set on a single entity.

Attaching Follow-up Tags to Entities

To attach a follow-up tag to an entity:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up.
4. From the submenu, select the relevant tag. The relevant icon is displayed to the left of the
entity.

DATADVANTAGE 6.3 USER GUIDE 156

Chapter 5     COMMON ACTIVITIES

5. Select the relevant inheritance option from the tag's submenu:

• Apply to this object only
• Apply to all child objects

Note: If a tag is set to only the current object and you want to apply it to the child
objects, you must first clear the tag from the current object and then reapply it to all
child objects.

6. To set a defined tag that does not appear in the list, select More from the submenu.
The Manage Tags dialog box is displayed.

7. Select the tags to be attached to the entity.

8. To add a new tag:
a. Click Add.
A new row is added to the grid.
b. Click the row and set the tag's properties as necessary. The tag's name is limited to 50
characters.

DATADVANTAGE 6.3 USER GUIDE 157

Chapter 5     COMMON ACTIVITIES

9. To set a tag to be inherited by the entity's child objects, select the Inherited checkbox for that
tag.
10. Click OK.
The tag's icon is displayed to the left of the entity.

Clearing Tags from Entities

This procedure describes how users can clear a tag from an entity. Additionally, users assigned
to the Enterprise Manager role can clear tags to entities attached by other DatAdvantage users,
including entities attached by other users also assigned to the Enterprise Manager role.

To clear a tag from an entity:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up > Tags.
4. From the submenu, select the tag that is set. The tag is cleared.
5. To clear a tag that does not appear in the list, or to clear multiple tags at once, select Follow
Up > Tags > More.
The Manage Tags dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 158

Chapter 5     COMMON ACTIVITIES

6. Select the tags to be cleared from the entity.

a. To select specific tags, select the checkbox to the left of the tag.
b. To select all tags, click the Select All button.
c. To uncheck all tags, click the Clear All button.
7. Click OK.

Inheriting Tags

If a tag is set to only the current object and you want to apply it to the child objects, you must first
clear the tag from the current object and then reapply it to all child objects.

To set a tag to be inherited by the entity's child objects:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up.
4. Select Tags from the context menu.
5. Select More from the context menu.
The Manage Tags dialog box opens.

6. Select the Inherited checkbox for that tag.

7. Click OK.
The tag's icon is displayed to the left of the entity.

Clearing Inheritance on Entities

Tags that are inherited from parent objects to which the tags are still attached cannot be cleared.

To clear all follow-up tags on an entity:

1. Select the relevant view.

2. Locate the required entity.

DATADVANTAGE 6.3 USER GUIDE 159

Chapter 5     COMMON ACTIVITIES

3. Right-click the selected entity, and from the context menu, select Follow Up.
4. Select Clear All Follow-Up Icons. All the flags that were set on that entity and inherited by its
child entities are cleared.

Managing Notes
Notes are free-text comments that are defined by individual users on specific entities. However,
while they are defined by users (as opposed to administrators), they are global and can be viewed
and edited by all users. Because notes can be edited by anyone, each note includes the time at
which it was last edited and the name of the user who made the change.

Only one note may be defined on an entity at a time.

Notes can be used in searches but not in filters.

Setting Notes for Follow-Up

To set notes for follow-up:

1. Select the relevant view.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Follow Up.
4. From the submenu, select Note.
The Add/Edit Note dialog box is displayed.

5. Type the text of the note in the text box. The text is limited to 500 characters.
6. Click OK.
The note is added to the entity.

Removing Notes from Entities

If a note is removed from an entity, it is no longer available for any user.

To remove a note:

1. Select the relevant view.

2. Locate the required entity.

DATADVANTAGE 6.3 USER GUIDE 160

Chapter 5     COMMON ACTIVITIES

3. Right-click the selected entity, and from the context menu, select Follow Up.
4. From the submenu, select Notes.
The Add/Edit Note dialog box is displayed.

5. Click Remove.
The note is removed from the entity and the dialog box is closed.
6. Alternatively, you can perform a general removal process which removes all notes together
with all follow-up indicators (flags and tags) on the selected entity. Do as follows:
• To remove all global follow-up indicators for all users (including yours), select Follow Up >
Clear All Users' Follow-Up Indicators.
• To remove all your follow-up indicators only, select Follow Up > Clear All My Follow-Up
Indicators.

Setting Entities as Included or Excluded from Analysis

Administrators can define a list of entities that IDU Analytics will not take into consideration, so that
no recommendations will be generated for the entities or their permissions. However, the entities
are still monitored by DatAdvantage in every other way: they are considered when statistics are
calculated, events are gathered for them, and so on. Several groups are predefined as excluded
during installation.

The list of excluded users is easily configurable and can be changed on the fly, both through the
Management Console and during daily work in DatAdvantage (see the Management Console User
Guide.

Note: If you set an entity to included or excluded, the change takes effect either after the
nightly run of ADWalk and PullWalk, or after these jobs are run manually.

DATADVANTAGE 6.3 USER GUIDE 161

Chapter 5     COMMON ACTIVITIES

To set an entity as included or excluded:

1. Select the Recommended Users and Groups pane.

2. Locate the required entity.
3. Right-click the selected entity, and from the context menu, select Include in Analysis or
Exclude from Analysis, as relevant.
• If you set an entity as included, it is automatically added to the Exclude list available in the
configuration window.
• If you set an entity as monitored, it is automatically removed from the Exclude list.

Working with Lists and Tables

You can manipulate lists and tables to reach the data you need. See the following:
• Sorting Lists and Tables by Column
• Grouping Lists and Tables by Column
• Ungrouping Lists or Tables

Sorting Lists and Tables by Column

To sort a list or a table by a specific column:

• Click the column's heading. The table is sorted by the column.

A triangle is displayed next to the column's header, to indicate the table is sorted by that
column. The sort order (ascending or descending) is indicated by the direction of the triangle.

Grouping Lists and Tables by Column

The Group by Column option enables you to group list or table data according to a specific
column.

To group list or table data according to a specific column:

1. Click the column header.

2. Drag the column headings to the area above the list or table marked Drag a column header
here to group by that column. The list or table is grouped.

DATADVANTAGE 6.3 USER GUIDE 162

Chapter 5     COMMON ACTIVITIES

3. Drag additional column headings to group the data hierarchically.

Ungrouping Lists or Tables

To ungroup lists or tables that have been grouped by a specific column:

1. Above the list or table, click the name of the column by which the data has been grouped.

2. Drag it away from that area. When you release the mouse button, the list or table is
ungrouped.

Viewing History of Deleted Entities

DatAdvantage enables you to view the history of all entities, even if they have been deleted from
the system.

To view the history of a deleted entity:

1. Select the relevant view.

• Statistics
• Logs
2. Select the relevant entity pane (either Directories or Users & Groups).
3. In the pane, click the History button. If the button is not visible, click the Expand arrow and
select History from the context menu. The entity pane hides all the entities currently in the
system, and displays a calendar area.

DATADVANTAGE 6.3 USER GUIDE 163

Chapter 5     COMMON ACTIVITIES

Note: When searching for the name of a deleted entity in the Statistics view, the percent
sign (%) can be used as a wildcard; for example, %leg%; %leg; leg%. The percent sign
may not be used between letters.

4. Set the historical timeframe as relevant.

5. Click Search. All entities that existed during the selected timeframe are displayed.
6. Select the required historical entity.

Viewing Entity Properties

DatAdvantage enables you to access the standard real-time properties for entities (users, groups
and directories) located on Windows and Unix machines.

Important: Changes you make through these dialog boxes are implemented immediately in
the real environment.

To view entity properties:

1. Locate the required entity.

2. Right-click the entity, and from the context menu, select Properties. The entity's properties are
displayed.

Opening the Management Console

To open the Management Console from within DatAdvantage:
• Select Tools > Management Console. The Management Console is opened.

Advanced Searching
Advanced search capabilities are available in several views and products throughout the Metadata
Framework.

Accessing Advanced Search Criteria

To access the advanced search criteria:
• In the Logs view, click Switch to advanced mode.
• In the Reports view, click Show Search, or click the show/hide bar in the Viewer.

DATADVANTAGE 6.3 USER GUIDE 164

Chapter 5     COMMON ACTIVITIES

Selecting the Data Source

To select the data source:
• In the Logs view, select the relevant option from the Show data from drop-down list:
• File system events
• History of differences - To view historical data
• All - To view both file system events and history

Setting the Time Frame for a Search

The default date range is one week before the current date, up to the current date.

To set the time frame for a search:

1. In the From field:

a. Click the arrow, and select the beginning date of the time frame from the calendar.
b. Click the hour and minutes in the From field to set them as necessary.

2. In the To field:
a. Click the arrow, and select the ending date of the time frame from the calendar.
b. Click the hour and minutes in the To field to set them as necessary.
The time frame for the activity is set.

Selecting a Search Mode

DatAdvantage provides two advanced search modes:
• Filter mode - The default mode. Use this mode to add grouping criteria (AND/OR expressions)
and filtering criteria (entities, actions or other properties).
• Sort mode - Use this mode to sort the search results by the predefined columns of the resulting
table.

To select the required search mode:

• On the Advanced Search toolbar, click Filter or Sort By, as relevant.

Adding Grouping Criteria

In Filter mode, you may add as many grouping criteria (AND/OR statements) as you want to the
search expression.

There are two ways to add groups: through the toolbar, or through the context menu.

DATADVANTAGE 6.3 USER GUIDE 165

Chapter 5     COMMON ACTIVITIES

To add a group through the toolbar:

1. Be sure you are working in Filter mode.
2. On the Advanced Search toolbar, click New Group.
3. From the submenu, select the type of grouping expression to be added:
• Any of (OR)
• All of (AND)

The group is added to the search criteria.

To add a group through the context menu:

1. Right-click an existing group.
2. From the context menu, select New Group.
3. From the submenu, select the type of grouping expression to be added:
• Any of (OR)
• All of (AND)

The new group is nested within the original group.

Nesting Groups and Filters

By default, new groups and filters are added to the currently active group, which is indicated by a
blue bar.

Filters can only be nested within groups; they cannot be nested within other filters.

To nest a group or filter statement within an existing group:

1. Select the group that is to be the parent group.

2. Add the new statement, either through the toolbar or through the context menu. The new
statement is nested within the parent group.

Adding Filters
In Filter mode, you may add as many filters as you want.
• In the Reports view, the filters are equivalent to the headings of the report columns (with the
exception of the User Access Log report, which is, in effect, a log).
• In the Logs view, the filters are specially-defined categories.

DATADVANTAGE 6.3 USER GUIDE 166

Chapter 5     COMMON ACTIVITIES

To add filters:

1. Be sure you are working in Filter mode.

2. On the Advanced Search toolbar, click New Filter; alternatively, right-click the parent group
and select New Filter. The filter is added to the search criteria, with an AND operator.

Defining Filter Attributes

To define a filter's attributes:
• Next to each filter row, click the Browse button or open the drop-down list to select the values
required for the filter attribute.

Note: Grayed out fields are mandatory.

Changing Operators
To change the operator in a statement:
• Right-click the operator for the relevant filter, and select the required operator from the context
menu.

Changing the Type of an Existing Group or Filter

You can change the type of an existing group or filter on the fly, without changing its position in
the overall expression.

To change the type of an existing statement:

1. Right-click the relevant statement.

2. For groups, select the relevant option from the context menu:
• All of (AND)
• Any of (OR)
3. For filters, select the relevant option from the context menu and its submenus. (See Metadata
Framework Reports Guide for a description of available report filters.)

Note: For reports, other filter options may be displayed depending on the Active
Directory properties that are defined in the system.

The type is changed.

Including and Excluding Groups from the Filter

When you are working with a report that deals with groups, you can easily set groups to be
included or excluded from the filter.

DATADVANTAGE 6.3 USER GUIDE 167

Chapter 5     COMMON ACTIVITIES

To include or exclude a group from the filter:

1. Right-click the parent filter and select New Filter. The Group Name filter is added.
2. Right-click the Group Name filter and select Include/Exclude Groups. The Group Name filter is
changed to Include/Exclude Groups, and an Include filter is nested within it.

3. Click the Browse button to select the required group.

4. To add an Exclude Groups filter, right click the Include/Exclude Groups filter again and select
New Exclude Group.
5. Continue adding filters as required.

Removing Groups or Filters

To remove a group or filter statement from the search expression:

1. Select the checkbox of the relevant statement.

2. On the Advanced Search toolbar, click Remove Selected.

Capping the Search Results

The cap mechanism prevents executing searches or rules whose results may have a dramatic
impact on the Metadata Framework, in terms of storage, performance, and so on.

By default, the cap mechanism is disabled, and should be configured only with assistance from
Varonis Support.

Underlying Technology

Based on the SQL Server Resource Governor, the mechanism enables database administrators to
manage SQL Server workload and critical system resource consumption.

When the cap mechanism is configured, one or both of the following keyvalues is set to a value
greater than 0:
• MaxAllowedCost - Set to configure the cap mechanism for logs and reports
• MaxAllowedCostDCF - Set to configure the cap mechanism for the DCF

The values represent the top time or size threshold permitted for generating the report or log, or
executing the DCF rule on which it is set. Once the values are set, they apply to all queries run in
the system.

Once it is configured, users may enable or disable the cap mechanism as needed by clicking
the Cap button in the Advanced Search pane or the DCF Rule dialog box. (This button is only
displayed when the relevant keyvalue is set to be greater than 0.)

DATADVANTAGE 6.3 USER GUIDE 168

Chapter 5     COMMON ACTIVITIES

To cap the search results:

1. In the Advanced Search pane, click Cap.

2. Generate the report or log as usual. If the result set exceeds the threshold defined by the cap,
it is not generated and a message is returned.
The mechanism stops creation of the report or log, or execution of the rule, as soon as it
recognizes that the defined caps have been or will be exceeded. Keep in mind, therefore, that
the execution may already be in progress when the cap mechanism stops it.
3. If this happens, refine your search criteria to produce a result set that remains within the
threshold. For example, set a shorter time period for the search, restrict the query to only
specific folders or file servers, select specific users, and so on.
4. Execute the search or the rule again.

Saving Defined Searches

DatAdvantage enables you to save all the criteria you have defined for a particular search in an
XML file, so that you can create templates of searches you perform on a regular basis.

To save a defined search:

1. On the Advanced Search toolbar, click Save/Load > Save As or Import/Export Filter > Export
to File, as relevant.
2. Save the search according to standard Windows procedures.

Loading Defined Searches

To load a saved search:

1. On the Advanced Search toolbar, click Save/Load > Load or Import/Export File > Import from
File as relevant.
2. Locate the required search according to standard Windows procedures and click Open. The
search is loaded.

Resetting the Advanced Search Criteria

To reset the advanced search criteria:
• In the Advanced Search pane, click Reset. All defined search criteria, including filtering, sorting
and grouping options, are cleared and the basic advanced search framework is restored. In
report templates, this button resets the displayed filter to the filter last saved with the template.

DATADVANTAGE 6.3 USER GUIDE 169

6 WORK AREA

The DatAdvantage Work Area provides greater visibility to data and the effective rights users have
to that data on the network. This area also displays a virtual view of user and group rights, based
on recommendations made by IDU Analytics or changes made manually by the administrator. The
representation of data in this area allows for direct comparison between the permissions currently
associated with users and groups, and DatAdvantage recommendations made after analyzing and
classifying actual data usage in the environment. Administrators can see the recommendations for
removing or adding access rights to directories and files, and editing user and group relationships
before committing the changes in the Active Directory environment.

The Work Area comprises the following panes:

• Existing Users and Groups - Hidden by default, but can be displayed by clicking the Show/Hide
button
• Directories
• Recommended Users and Groups
• Errors

Understanding the Work Area

DatAdvantage displays permissions in a number of ways, depending on whether the entity you
select (the current active entity) is a user, group or directory.

DATADVANTAGE 6.3 USER GUIDE 170

Chapter 6     WORK AREA

Current Active Permission Indications

Entity

Existing user or In the Directories pane:

group • Color-coding:
• Green - The active entity has permissions for the
directory or file.
• Yellow - The active entity does not have (and never
had) permissions for the directory or file.
• Permissions column - Displays the specific permissions
for the active entity.
• Explanations column - Provides further information
about the permissions granted to the selected user or
group.

Recommended In the Directories pane:

user or group • Color-coding:
• Green - The active entity has permissions for the
directory or file.
• Yellow - The active entity does not have (and never
had) permissions for the directory or file.
• Red - It is recommended to remove or modify the
active entity's permissions to the directory or file.
• Permissions column - Displays the specific permissions
for the active entity.
• Explanations column - Provides further information
about the permissions granted to the selected user or
group.

DATADVANTAGE 6.3 USER GUIDE 171

Chapter 6     WORK AREA

Current Active Permission Indications

Entity

Directory In the Existing Users and Groups list:

• Displays the actual permissions of each entity on the
directory or file.
In the Recommended Users and Group list:
• Displays the recommended permissions of each entity
on the directory or file, as follows:
• Exclamation point - Indicates an error exists
• Refresh symbol - A change has been made
• Plus sign - Permissions have been added
• X - Permissions have been removed
• I - Indicates related problem or information
• No access sign - May indicate a problem with
permissions
Permissions column - Color-coding indicates specific
permissions that have been added or removed:
• Green - Permissions that the administrator has
added
• Red - Permissions that have been removed, or that
DatAdvantage recommends removing

Viewing Permissions
While the procedure for viewing permissions is the same throughout the Work Area, the actual
display of permissions depends on the type of entity you have selected (that is, the current active
entity).

To view the permissions a user or group actually has for a specific directory:

1. Select the Work Area.

2. In the Directories pane, locate the relevant entity.
3. Select the required Users and Groups list (click the Show/Hide button to display the Existing
Users and Groups list if it is hidden).
4. In the selected Users and Groups list, locate the required entity.
5. Double-click the name of the entity. The entity's permissions are displayed.

DATADVANTAGE 6.3 USER GUIDE 172

Chapter 6     WORK AREA

The File System Permissions column displays permissions as follows:

DATADVANTAGE 6.3 USER GUIDE 173

Chapter 6     WORK AREA

Resource Type Display

Windows Standard Windows permissions:

• F - Full Control
• M - Modify
• R - Read
• W - Write
• L - List folder contents
• X - Read and execute

Unix Standard Unix permissions:

• Owner
• R - Read
• W - Write
• X - Execute
• Group
• R - Read
• W - Write
• X - Execute
• Other (represented as "Everyone")
• R - Read
• W - Write
• X - Execute

On-premises SharePoint/SharePoint Standard SharePoint permission levels:

Online/OneDrive • Full Control
• Design
• Contribute
• Read
• Limited Access
• View Only
• Add Items (Anonymous) - On-
premises SharePoint only
• Edit Items (Anonymous) - On-premises
SharePoint only
• Delete Items (Anonymous) - On-
premises SharePoint only
• View Items (Anonymous) - On-
premises SharePoint only
• Entire Web site (Anonymous) - On-
premises SharePoint only
• Lists and libraries (Anonymous) - On-
premises SharePoint only
• Guest Link Edit (Anonymous) -
SharePoint Online and OneDrive only
• Guest Link View (Anonymous) -
SharePoint Online and OneDrive only

DATADVANTAGE 6.3 USER GUIDE 174

Chapter 6     WORK AREA

Resource Type Display

On-premises Exchange/Exchange Online Standard Exchange mailbox permissions:

• Full Access
• Send As
• Send On Behalf
Standard Exchange sharing permission
levels:
• None
• Owner
• Publishing Editor
• Editor
• Publishing Author
• Author
• Nonediting Author
• Reviewer
• Contributor
• None

Directory services Standard role names related to each

entity, such as Full Control, Read, Write,
Special Permissions

If you are working with a directory or directory service object, you may find that the
permissions are displayed in parentheses. This indicates Deny permissions.

For POSIX ACLs, lowercase letters indicate that the permission has been granted, but is
masked; in effect, this means the permission does not exist.

Note:
It is recommended that, in the ordinary course of work, you check the permissions
of the protected and unique directories (those whose folder icon is decorated with a
person). In general, all other directories (that is, those that are not unique) inherit their
permissions from the unique parent, and are therefore color-coded the same way the
parent directories are.

However, on NTFS, permissions can be set for only a specific directory, or to a specified
set of sub-directories. This means there may be unique directories whose color-coding
is different than the directories from which they inherited, since they have different
permissions.

DATADVANTAGE 6.3 USER GUIDE 175

Chapter 6     WORK AREA

Viewing Permission Sources

The Explanations column of the Work Area displays the aggregated effective permissions for the
selected user or group. It is limited to displaying only one of the groups from which any of the
effective permission masks are inherited.

However, the Permission Sources window displays highly detailed permission data. Specifically,
it lists all the groups from which a permission mask is inherited, along with the root folder of the
inheritance.

The window displays the following data related to permissions:

Note: For deleted users, the user name is displayed in the Permission Sources window.

• NTFS-based platforms:
• Detailed inheritance
• SharePoint/SharePoint Online/OneDrive:
• The site in which the current and recommended permission levels are defined
• The site collection administrators group permission and root folder
• Unix:
• Permission type
• Root user permission
• Exchange/Exchange Online:
• Permission type
• The mailbox folder from which mailbox permissions are inherited
• Directory service objects:
• Detailed inheritance of permission roles

Important: If a particular role has one ACE in one row and other ACEs in other rows
(due to different flags or inheritance sources), full details are displayed in the header.
This display is only available for roles that are Read/Write for property sets. It is not
available for generic roles.

To view permission sources:

1. Select the Work Area.

2. In the selected Users & Groups list, locate the required entity.
3. Double-click the name of the entity. The entity's permissions are displayed.
4. In the Directories pane, locate the relevant entity.
5. Right-click and select Permission Sources.
The Permission Sources window is displayed.

DATADVANTAGE 6.3 USER GUIDE 176

Chapter 6     WORK AREA

Viewing Permission Sources Causing Access Errors

This window enables users to view permission sources that are causing access errors. It is shown
only if there are edited permissions causing access errors for a user/computer.

To view permission sources causing access errors:

1. Select the Work Area.

2. In the Expected Access Errors pane, expand the relevant item and select the Membership
Changed/Permission Changed link.
The Permission Sources window is displayed.
3. Click the Permission Sources Causing Access Errors tab.

4. Refer to the following:

• Access Path with Permission Change - The path of the folder or special file on which the
permission source has unique permissions.
• Permission Source - The source through which the user has permissions on the folder and
on which an editing command exist.

DATADVANTAGE 6.3 USER GUIDE 177

Chapter 6     WORK AREA

• Time of Permission Change - The date and time of when the DA user/system editing
action occurred (based on IDU server time).
• Change By - The name of the user who created the editing command.
• Current Permissions via Source - The current permission the entity has on the folder in
the Admin Set but only through this source.
• Current Flags via Source - The current permission flags the entity has on the folder in the
Admin Set but only through this source.
• Recommended Permissions via Source - The recommended permission the user has on
the folder in the Existing Set but only through this source based on the displayed editing
command.
• Recommended Flags via Source - The recommended permission the user has on the
folder in the Existing Set but only through this source.
• Change Description - A description of the permission change.

Viewing Recommendations
While the procedure for viewing recommendations is the same throughout the Work Area, the
actual display of recommendations depends on the type of entity you have selected (that is, the
current active entity).

To view the recommendations that have been made for a user, group, directory or file:

Note: This has no relevance for directory service probing.

1. Select the Work Area.

2. In the Directories pane, locate the relevant entity.
3. In the Recommended Users and Groups list, locate the required entity.
4. Double-click the name of the entity. The entity's recommendations are displayed.

Managing Permissions

Editing Permissions on Windows Directories and Files

To adjust the permissions granted to a user or a group on a Windows machine:

1. Select the Work Area.

2. Locate the relevant directory or file.
3. Double-click the directory or file to display its permissions.

DATADVANTAGE 6.3 USER GUIDE 178

Chapter 6     WORK AREA

4. In either the Directories pane or the Recommended Users and Groups list, locate the entity
whose permissions you want to edit.
5. Right-click the entity, and from the context menu, select Edit Permissions. The Properties
dialog box is displayed.

Important: This is not Microsoft's standard Permissions dialog box. Changes made here
do not affect the real environment until they are actually committed.

6. In the Group or User Names area, select the group or user whose permissions you want to
edit.
7. In the Permissions For area, select the permissions to be added to the entity, and clear the
permissions to be removed from the entity.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the
virtual sandbox. For example, if a user had full control permissions on file, and you
choose to deny the user write permissions, the Full Control, Modify and Write options are
automatically cleared in the Allow column.

Note: If you add permissions to a directory or file whose permission type is Inherited, the
permission type becomes Unique.

8. To define special permissions and advanced settings, click Advanced. The Advanced
Security Properties dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 179

Chapter 6     WORK AREA

a. To add a permission entry to the entity, click Add and define the permissions as relevant.
b. To edit an existing permission entry:
1. Click Edit. The Permission Entry For dialog box is displayed.

2. From the Apply to drop-down list, select the objects to which the permissions will be
applied.
3. To apply these permissions to objects or containers within the current container,
select the relevant checkbox at the bottom of the dialog box.

DATADVANTAGE 6.3 USER GUIDE 180

Chapter 6     WORK AREA

4. To clear all permissions, select Clear All.

5. Click OK.
c. To remove a permission entry, select the relevant entry and click Remove.
d. Click OK.
The Advanced Security Properties dialog box is closed.
9. In the Properties dialog box, click OK. The dialog box is closed.
After the views are refreshed, the changes in the entity's permissions are indicated as follows:
• Exclamation point - Indicates an error exists
• Refresh symbol - A change has been made
10. Synchronize the system.

Editing Permissions on Unix Directories and Files

To adjust the permissions granted to a user or a group on a Unix machine:

1. Select the Work Area.

2. Locate the relevant directory or file.
3. Double-click the directory or file to display its permissions.
4. In either the Directories pane or the Recommended Users and Groups list, locate the entity
whose permissions you want to edit.
5. Right-click the entity, and from the context menu, select Edit Permissions. The Properties
dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 181

Chapter 6     WORK AREA

6. On the Permissions tab, do the following as necessary:

• Owner - This field displays the entity's current owner. To change the owner, click Change
and select the required owner from the Active Directory dialog box.
• Owner Group - This field displays the owner group that has a relationship with the entity.
To change the owner group, click Change and select the required owner group from the
Active Directory dialog box.
• Permissions - In the Permissions area, select the permissions to be added to the entity,
and clear the permissions to be removed from the entity.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the
virtual sandbox.
• Protection - In the Protection area, select various options to allow users to temporarily
assume the permissions of the folder's owner or owner group.
• Set UID - Select to allow users to assume the owner's user ID for the folder.
• Set GID - Select to allow groups to assume the owner group's ID for the folder.
• Sticky Bit - Select to allow files within the folder to be renamed or deleted only by the
file's owner, the folder's owner, or a superuser.

Note: If you add permissions to a directory or file whose permission type is

Inherited, the permission type becomes Unique (see Adding Protection to a
Directory or File).
In addition, you can revert to the previous owner or group, or change the existing
owner or group.

DATADVANTAGE 6.3 USER GUIDE 182

Chapter 6     WORK AREA

7. On the Access Control List tab, define POSIX ACLs as follows:

a. In the Mask area, set the default Read, Write and Execute permissions for the User,
Group and Other masks.
b. In the Extended area, click Add to add specific users or groups and set their permissions.
c. To remove a user or group from the POSIX ACL, select its row in the Extended area and
click Remove.

8. Click OK.

Editing Permissions and Permission Levels in On-Premises SharePoint and

SharePoint Online

Note: The following information is also relevant for OneDrive.

Adding Permission Levels to On-Premises SharePoint and SharePoint Online Directories and
Files
This operation adds a permission level to a site.

• The scope of the permission level includes the site and all its descendants (except for sites with
protected permission levels and their descendants).
• Once the permission level is added, it can be assigned to users on items in the scope.
• Permission levels can only be added to sites with protected permission levels.
• Two permission levels cannot have the same name.
• You can restore a permission level that was previously deleted. This undoes the Remove
Permission Level command.
• Names are not case-sensitive.

DATADVANTAGE 6.3 USER GUIDE 183

Chapter 6     WORK AREA

Removing Permission Levels

This operation removes the permission level from the site.
• This operation removes all the ACEs with the permission level in the scope of the permission
level.
• The permission level cannot be assigned to users after it is removed.
• You can only remove permission levels from sites with protected permission levels.
• If the permission level is removed and then restored, the ACEs that were deleted should also
be restored, and the Remove Permission Level command is cancelled.
• Effect on previous commands:
• Removing a permission level that was added and has not been committed yet deletes the
Add Permission Level command.
• Previous Change Permission Level Name, Description or Mask commands on this
permission level are deleted.
• Previous Add Assignment commands referencing this permission level are deleted.
• Previous Remove Assignment commands referencing this permission level are deleted.
• Limited Access, Full Control and Anonymous permission levels cannot be removed.

Changing Permission Level Name

This operation changes the permission level name.
• It has no affect on the permissions themselves.
• Limited Access, Full Control and Anonymous permission levels cannot be changed.
• You cannot change the name of a permission level you previously removed.
• Names are not case-sensitive.

Changing Permission Level Description

This operation changes the permission level description.
• It has no affect on the permissions themselves.
• Limited Access, Full Control and Anonymous permission levels cannot be changed.
• You cannot change the description of a permission level you previously removed.

Changing Permission Level Access Mask

This operation changes the permission level access mask.
• The access mask cannot be empty.
• Limited Access, Full Control and Anonymous permission levels cannot be changed.
• You cannot change the mask of a permission level you previously removed.

Adding Permissions
This operation adds permissions to a user or group for an entity.
• It creates Limited Access assignments for the user in all parent-protected items up to the first
protected site (if they do not already exist).
• You cannot assign the Limited Access permission level directly.
• You cannot assign permission levels to the Site Collection Administrators group.

DATADVANTAGE 6.3 USER GUIDE 184

Chapter 6     WORK AREA

• You can assign anonymous permission levels only to sites and lists (not to children of lists).
• For sites and document libraries you can only add the View (Anonymous) permission level.
• DatAdvantage only supports lists of the Document Library type.
• For the Anonymous user, Limited Access ACEs are not created.
• You cannot assign a deleted permission level.
• You can restore deleted permissions or an entire user. This cancels the Remove Assignment
command and restores the deleted ACEs.

Removing Permissions
This operation removes permissions from a user on an item.
• There are two modes for this operation:
• Remove a single regular permission - Simple mode, in which only the permission is
removed.
• Remove all a user's permissions - Complex mode.
• This operation removes all the permissions for this user in child items down to protected
sites.
• Removing the last permission level on an item from a user also removes the entire user.
• This does not apply to the Anonymous user.
• Removing a permission that was added but not committed removes the permission and cancels
the Add Permission command.
• You can remove the anonymous permissions from sites and lists.
• You cannot remove the Full Control permission level from the Site Collection Administrators
group.

Changing Protection or Inheritance

This operation can be performed in the following modes:
• Add protection with copy permissions.
• Add protection without copy permissions.
• Remove protection (inherit permissions).

The operation marks the item as protected and copies all the assignment from the protected
parent.

Adding Protection with Copying Permissions

• Anonymous permissions are not copied when adding protection to descendants of lists (only to
lists and subsites).
• Adding protection to an item inside a list that has anonymous permissions does not copy the
anonymous permissions.

DATADVANTAGE 6.3 USER GUIDE 185

Chapter 6     WORK AREA

Adding Protection without Copying Permissions

This operation marks the item as protected but does not copy the permission from the protected
parent item.
• There are two exceptions to this:
• The Site Collection Administrator Full Control ACE is still copied.
• Anonymous permissions are still copied for lists and subsites.
• All the ACEs in descendant items are deleted down to the protected sites.
• This operation is not supported from SharePoint web interface.

Removing Protection (Inheriting)

This operation marks the item as inherited.
• When removing protection from a site, all the descendant protected items also become
inherited, down to the protected sites.
• Effect on previous commands - When protection is removed from a site:
• Add/Remove Protection commands in the operation scope are deleted.
• Add/Remove Permission commands in the operation scope are deleted.

Protecting Permission Level Definitions

This operation breaks the inheritance of permission level definitions and copies the permission
levels from the protected permission levels parent site, and the permissions from the protected
parent site.
• All the ACEs on descendant items that used the old permission levels are modified to point the
new permission levels.
• Permission level definitions can only be on sites.
• If the site was inherited it becomes protected.
• Permissions and access stay the same.

Caution: This operation might cause data corruption on SharePoint versions earlier than
service pack 2.

Inheriting Permission Level Definitions

This operation resets the inheritance of permission level definitions, and removes the permission
level definitions from the site.
• All the protected descendant items of the site down to the protected permission level sites and
the site itself become inherited.
• You cannot inherit permission level definitions in the site collection root site.

Caution: This operation might cause data corruption on SharePoint versions earlier than
service pack 2.

• Effect on previous commands - When inheriting permission levels of a site:

• Add/Remove/Change Permission Level commands in the site are deleted.
• Add/Remove Protection commands in the operation scope are deleted.
• Add/Remove Assignment commands in the operation scope are deleted.

DATADVANTAGE 6.3 USER GUIDE 186

Chapter 6     WORK AREA

Editing On-Premises SharePoint and SharePoint Online Permissions

Note: The following procedure is also relevant for OneDrive.

To edit permissions:

1. Select the Work Area.

2. Locate the relevant site or subsite.
3. In either the Directories pane or the Recommended Users and Groups list, locate the entity
whose permissions you want to edit.
4. Right-click the entity, and from the context menu, select Edit Permissions. The Edit
Permissions dialog box is displayed.

5. In the Group or User Names area, select the group or user whose permissions you want to
edit. (To add a user or group, click Add and browse to the required entity.)
6. In the Permission Levels area, set the entity's permissions as follows:
a. To add a permission level, click Add. The Select Permission Levels dialog box is
displayed.

DATADVANTAGE 6.3 USER GUIDE 187

Chapter 6     WORK AREA

b. Select the required permission level and click OK. The permission level is added to the
entity.
c. To remove a permission level from the entity, select it and click Remove. The permission
level is removed from the entity.
7. Click OK.

Note: If you add permissions to a directory or file whose permission type is Inherited, the
permission type becomes Unique.

Editing On-Premises SharePoint and SharePoint Online Permission Levels

Note: The following procedure is also relevant for OneDrive.

Windows SharePoint Services includes five permission levels by default:

• Full Control
• Cannot be customized
• Contains a full access mask
• Limited Access
• Designed to be combined with fine-grained permissions to give users access to a specific
list, document library, item, or document, without giving them access to the entire site
• Cannot be customized or deleted
• Cannot be assigned directly
• Read
• Can be customized and deleted
• Has a special permission level type in SharePoint
• Is automatically given to a site when protecting its permission levels, even when choosing to
not copy the permission levels from the parent

DATADVANTAGE 6.3 USER GUIDE 188

Chapter 6     WORK AREA

• Contribute
• Can be customized and deleted
• Has a special permission level type in SharePoint
• Is automatically given to a site when protecting its permission levels, even when choosing to
not copy the permission levels from the parent
• Design
• Can be customized and deleted
• Has a special permission level type in SharePoint
• Is automatically given to a site when protecting its permission levels, even when choosing to
not copy the permission levels from the parent

Anonymous Permissions levels

Anonymous permission levels appear in DatAdvantage for all SharePoint objects (except for Web
sites) as follows:

• View Items (Anonymous)

• Edit Items (Anonymous)
• Add Items (Anonymous)
• Delete Items (Anonymous)

Anonymous permission levels appear in DatAdvantage for SharePoint Web sites as follows:
• Lists and libraries (Anonymous)
• Entire Web site (Anonymous)

The following restrictions apply to anonymous permission levels:

• Sites can only be assigned with the View (Anonymous) permission level.
• Document libraries can only be assigned with the View (Anonymous) permission level.
• Sub-items of lists cannot be assigned with anonymous permission levels.
• Protected items of lists are never accessible to anonymous.

For SharePoint sites that are monitored by DatAdvantage, you can customize the permissions
available in these permission levels (except for the Limited Access and Full Control permission
levels), or you can create new permission levels that contain specific permissions.

Permission levels are inherited from the parent site. This means that to edit a site's permission
levels, you must either edit the parent site, or break the inheritance.

To edit permission levels:

1. Select the Work Area.

2. Locate the relevant site or subsite.
3. In either the Directories pane or the Recommended Users and Groups list, locate the entity
whose permissions you want to edit.
4. Right-click the entity, and from the context menu, select Edit Permission Levels. The Edit
Permission Levels dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 189

Chapter 6     WORK AREA

5. To add a permission level:

a. Click Add.
The Add Permission Level dialog box is displayed.

b. Enter a name and a description for the permission level.

c. Click OK.
The permission level is added to the list at the top of the dialog box.

DATADVANTAGE 6.3 USER GUIDE 190

Chapter 6     WORK AREA

6. To edit a permission level:

a. Select the relevant permission level from the list.

Note: You cannot edit the five default permission levels.

b. In the bottom pane, select the permissions to be added to the permission level. You
may select permissions from any of the following categories (see the descriptions in the
dialog box for more information):
• List permissions
• Site permissions
• Personal permissions
c. Click OK.
The permissions are changed and marked as follows:
• Additional permissions are marked in green
• Removed permissions are marked in red
Each change you make automatically results in changes to other permissions. For
example, if you remove the View Pages permission, the Use Self-Service permission
is automatically removed.
7. To remove permissions from a permission level:
a. In the top list, select the relevant permission.
b. Click Remove.
After a change is made, the name of the changed permission level and an asterisk (*) are
displayed when you click a user. These indications remain in place until the change to the
permission level is either committed or undone.

Editing Permissions and Permission Levels in Exchange

Attention: DatAdvantage supports only manual editing for Exchange storage groups; it does
not provide recommendations.

DATADVANTAGE 6.3 USER GUIDE 191

Chapter 6     WORK AREA

In general, DatAdvantage displays Exchange permissions in an intuitive, user-friendly fashion.

However, the following notes must be remembered:
• A special entity called SELF exists on each mailbox, representing the mailbox's owner.
• When a mailbox is double-clicked, SELF is displayed as an object in the Users & Groups list.
• When the actual owner name is double-clicked in a Users & Groups list, the SELF account is
taken into consideration and added to the effective permissions.
• Exchange provides an ACL called None, to deny other users access to a particular mailbox. It
should be noted that despite its name, this ACL allows people (specifically, the mailbox owners
themselves) to access the mailbox.

Note: Editing permissions and permission levels in Exchange Online is not supported.

Editing Exchange Mailbox Permissions

You can only edit mailbox permissions at the level of the mailbox itself. You cannot edit the
permissions defined for a mailbox's folders, such as its inbox or its calendar. (However, sharing
permissions may be edited for the mailbox's individual folders.)

Note: Editing Exchange Online mailbox permissions is not supported.

To edit mailbox permissions:

1. Select the Work Area.

2. In the Directories pane, locate the relevant mailbox.
3. Right-click the mailbox and from the context menu, select Edit Permissions. The Permissions
dialog box is displayed, with the Mailbox Permissions tab open.

Note: You can access this dialog from the Users & Groups panes by clicking the name
of the permission level associated with the entity, but in this case the dialog box is
opened in read-only mode.

DATADVANTAGE 6.3 USER GUIDE 192

Chapter 6     WORK AREA

4. In the User or Group Names area, select the group or user whose permissions you want to
edit. (To add a user or group, click Add and browse to the required entity.)
5. In the Permissions for User area, select the permissions to be added to the entity, and clear
the permissions to be removed from the entity.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the virtual
sandbox.
6. Click OK.

Editing Exchange Sharing Permissions

Note: Editing Exchange Online sharing permissions is not supported.

You may edit sharing permissions for an entire mailbox, for individual folders within the mailbox, or
for public folders as necessary.

To edit a mailbox's sharing permissions:

1. Select the Work Area.

2. In the Directories pane, locate the relevant mailbox.

DATADVANTAGE 6.3 USER GUIDE 193

Chapter 6     WORK AREA

3. Right-click the mailbox or folder, and from the context menu, select Edit Permissions. The
Permissions dialog box is displayed, with the Mailbox Permissions tab open.

Note: You can access this dialog from the Users & Groups panes by clicking the name
of the permission level associated with the entity, but in this case the dialog box is
opened in read-only mode.

4. Select the Sharing Permissions tab.

DATADVANTAGE 6.3 USER GUIDE 194

Chapter 6     WORK AREA

5. In the upper area, select the group or user whose permissions you want to edit. (To add a
user or group, click Add and browse to the required entity.)
The entity's permission level is indicated in the lower area.
6. Edit the entity's permissions as follows:
• To change the entity's permissions according to a built-in permission level, select the
required permission level from the list.
• To create custom permissions for the entity, select or clear the permissions in the lower
area as required.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively. This markup is also used to indicate the differences if you
change the built-in permission level associated with the entity.
• Each change you make automatically results in changes to other permissions in the virtual
sandbox.

DATADVANTAGE 6.3 USER GUIDE 195

Chapter 6     WORK AREA

7. Click OK.

Viewing Directory Service Permissions

To view the permissions a directory service account has on an entity:

1. Select the Work Area.

2. In the Directories pane, locate the relevant entity.
3. Right-click the entity and select View Permissions.
The Security Properties window for the entity is displayed.

DATADVANTAGE 6.3 USER GUIDE 196

Chapter 6     WORK AREA

• If opened from the Directories pane, this window displays all ACLs that exist on the
selected entity.
• If opened from the Users and Groups pane (following the selection of a directory service
entity), this window displays only the roles and ACEs that exist on that directory for the
selected account.
4. To view special permissions and advanced settings, click Advanced.
The Advanced Security Properties window is displayed.

This window displays all permission entries, or ACL trustees, that comprise the ACL.

DATADVANTAGE 6.3 USER GUIDE 197

Chapter 6     WORK AREA

5. To set the permission entries as inherited from their parent objects, select the option: Inherit
permission entries from parent that apply to child objects. Include these with entries explicitly
defined here.
6. To view more information about a permission entry, select it and click View.
The Permission Entry window is displayed.

7. Select Apply these permissions to objects and/or containers within this container only as
necessary.

Managing Directories and Files

Creating Groups with Permissions to Directories

Before your first use of the Group Creation Wizard, configure the relevant settings on the Group
Creation tab in the Management Console. Only users with the Commit/Edit role can create groups.

Note: This feature is only available for Windows file servers.

To create a new group with the permissions required for a directory:

1. Select the Work Area.

2. In the Directories pane, right-click the directory or file to which you want to add a user or
group.
3. Click Create New Group with Permissions.

DATADVANTAGE 6.3 USER GUIDE 198

Chapter 6     WORK AREA

The Group Creation Wizard is displayed.

4. On the New Group page of the wizard, set the following properties for the group you want to
create:
• Group path - Select the domain or OU in which to create the new group.
• Group name - Define a name for the new group.
• Group name (pre-Windows 2000) - If necessary, define the SAM account name for the
new group. Automatically populated when the Group name field is populated.
• Description - Enter a free-text description of the group, up to 1024 characters.
• Group scope - Determine the scope of the new group.

Note: This pane is only visible for Active Directory 2000 and higher.

• Domain local - A domain local group is a security or distribution group that can contain
universal groups, global groups, other domain local groups from its own domain, and
accounts from any domain in the forest. You can give domain local security groups
rights and permissions on resources that reside only in the same domain in which the
domain local group is located.
• Global - A global group is a group that can be used in its own domain, in member
servers and in workstations of the domain, and in trusting domains. In all those
locations, you can give a global group rights and permissions and the global group can
become a member of local groups. However, a global group can contain user accounts
that are only from its own domain.
• Universal - A universal group is a security or distribution group that contains users,
groups, and computers from any domain in its forest as members. You can give

DATADVANTAGE 6.3 USER GUIDE 199

Chapter 6     WORK AREA

universal security groups rights and permissions on resources in any domain in the
forest. Universal groups are not supported for Windows 2000.
• Group type - Determine whether the group is a security group or a distribution group.

Note: Since distribution groups cannot be granted permissions, the distribution

group option is only available if the wizard is started from the Recommended Users
and Groups pane.

5. Click Next.
The Members page is displayed.

6. To add members to the group, click Add and search for the required users in the Directory
Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

7. For advanced options in adding members to the group, click one of the following:

Note: The entities available for selection are determined by the group scope you
defined earlier.

• Add members from other groups - (this option will only display groups) opens the Directory
Services Search dialog box.

DATADVANTAGE 6.3 USER GUIDE 200

Chapter 6     WORK AREA

Use the functionality to search for users from other groups and then select one of the
following options in the Select which accounts are added area at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members
to the new group and will be shown in the Members pane in the Group Creation
Wizard.
• All nested user and computer accounts - All user/computer members (direct and
indirect) are copied from the selected groups to the Members pane in the Group
Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
• Add users or groups with existing permissions - opens the Users/Groups with Existing
Permissions dialog box and displays current existing permissions on the selected folder.

DATADVANTAGE 6.3 USER GUIDE 201

Chapter 6     WORK AREA

Select the users and groups from the Available Entities area for display in Selected
Entities. Select one of the following options in the Select which accounts are added area
at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members
to the new group and will be shown in the Members pane in the Group Creation
Wizard.
• All nested user and computer accounts - All user/computer members (direct and
indirect) are copied from the selected groups to the Members pane in the Group
Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
8. To remove members, select them from the list and click Remove.

Note: If you click Back and change the group scope or type, the members you already
selected will be removed from the list.

9. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions
of users\groups that can not be added.

DATADVANTAGE 6.3 USER GUIDE 202

Chapter 6     WORK AREA

• Excluded Account - The name of the excluded user\group.

• Reason - The reason for the exclusion.

Note: Reasons for possible exclusion are:

• For groups - Group type mismatch or untrusted domain
• For users - A user from an untrusted domain, or a user cannot be added to global
and universal groups

To remove a user/group from the list, do as follows:

a. Select a user or group.

b. Click OK. The user or group is now removed from the Members window.
10. Click Next. The Permissions page is displayed.

DATADVANTAGE 6.3 USER GUIDE 203

Chapter 6     WORK AREA

11. Select the required Allow and Deny permissions.

12. To define special permissions and advanced settings, click Advanced. The Advanced
Security Properties dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 204

Chapter 6     WORK AREA

a. To add a permission entry to the entity, click Add and define the permissions as relevant.
b. To edit an existing permission entry:
1. Click Edit. The Permission Entry For dialog box is displayed.

2. From the Apply to drop-down list, select the objects to which the permissions will be
applied.
3. To apply these permissions to objects or containers within the current container,
select the relevant checkbox at the bottom of the dialog box.

DATADVANTAGE 6.3 USER GUIDE 205

Chapter 6     WORK AREA

4. To clear all permissions, select Clear All.

5. Click OK.
c. To remove a permission entry, select the relevant entry and click Remove.
d. Click OK.
The Advanced Security Properties dialog box is closed.
13. Click Next.
The Summary page is displayed.

14. After you have reviewed your work, click Execute to create the group.

DATADVANTAGE 6.3 USER GUIDE 206

Chapter 6     WORK AREA

15. Select the Commit these changes option to commit the changes immediately and click Finish.

16. (Optional) Commit the changes.

Note: You may be required to provide your credentials before the Commit dialog box is
displayed.

Note: If the folder has inconsistent ACLs, the Commit these changes option is disabled.

Adding Users or Groups to Directories and Files

This activity may only be performed for directories located on Windows machines.

To add a user or group to a directory or file:

1. Select the Work Area.

2. In the Directories pane, right-click the directory or file to which you want to add a user or
group.
3. From the context menu, select Add Permission. The Directory Services Search dialog box is
displayed.

DATADVANTAGE 6.3 USER GUIDE 207

Chapter 6     WORK AREA

4. Select the entity (user or group) to receive permission for the directory or file.
5. Click OK.
The Directory Services Search dialog box is closed, and the entities are granted minimum
permissions for the directory or file:
• R - Read. The user or group may read from the directory or file
• X - Execute. The user or group may execute files in the directory or file
6. Edit the permissions as necessary.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the virtual
sandbox.
7. Synchronize the system.

Locating Mailbox Owners

To locate a mailbox's owner:

1. Select the Work Area.

2. In the Directories pane, right-click the relevant mailbox.
3. From the context menu, select Locate Mailbox Owner.
The owner is identified and displayed in the Recommended Users & Groups pane.

DATADVANTAGE 6.3 USER GUIDE 208

Chapter 6     WORK AREA

4. Edit the permissions as necessary.

• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the virtual
sandbox.
5. Synchronize the system.

Locating Directory Service Objects in the Users & Groups Pane

To locate a directory service object in the Users & Groups pane:

1. Select the Work Area.

2. In the Directories pane, right-click the relevant directory service object.
3. From the context menu, select Locate in Users' Pane.
The user or group is identified and displayed in the Recommended Users & Groups pane.

Creating a Folder Automatically Recognized by DatAdvantage

It is possible to create a folder that will be automatically recognized by DatAdvantage without the
need to run the FileWalk and PullWalk jobs, and can be used immediately. It will be displayed as
virtual in the sandbox until it is committed.

1. In the Work Area, right-click the folder for which you want to create a sub-folder, and select
Create New Folder.
The Create New Folder dialog box is displayed. Note that Parent folder path is already
populated according to the folder you selected.

2. Do as follows:
• Parent folder path - Browse for the parent folder of the folder that you are creating, or
accept the default.
• Folder name - The name of the folder that you are creating.
• Share Folder - Select whether to share the folder. If so, the share will have the same name
as the folder. Additionally, the share will be created with the Everyone group with full
control permissions.
• Commit these changes - Select to commit the changes.
• Cancel - Leave the process without saving any changes.

Refer to the following example:

DATADVANTAGE 6.3 USER GUIDE 209

Chapter 6     WORK AREA

3. Click OK.
The new folder is displayed in the Work Area, in sandbox mode.

Managing Permission Flags

Permissions for directories and files are categorized by three types of flags:
• Protected - A protected directory or file does not inherit any permissions from its parent. Its
icon is decorated with a lock.
• Unique - A unique directory or file has both inherited permissions and other permissions
defined specifically for it. If an object has effectively different permissions than its parent
permissions, it is designated as "distinguished unique". Both unique and distinguished unique
objects are marked with a person image.
• Inherited - An inherited directory or file only inherits permissions from its parent. It has no
special permissions of its own. Its icon is not decorated with anything.

Adding Protection to a Directory or File

DatAdvantage enables you to change a permission flag from Unique or Inherited to Protected.
This means the link between the directory or file and its parent is broken, and changes to the
parent's permissions no longer affect the child. However, you may choose to preserve existing
permissions when you change a permission flag to Protected.

The changes take effect when you commit them to the environment.

Note:
• In addition to the method described here, you can also change a folder with inherited
permissions to Protected by removing any of the inherited permissions. If you do so, a

DATADVANTAGE 6.3 USER GUIDE 210

Chapter 6     WORK AREA

confirmation message is displayed, enabling you to change the folder to Protected before
removing the permissions.

To add protection to a directory or file:

1. Select the Work Area.

2. Locate the relevant directory or file.
3. Right-click the directory or file, and from the context menu, select Add Protection to Directory.
The following message is displayed:

You are about to change this directory to be protected. Do you

want to copy permissions from the current parent directory?

Note: Use this command for files as well.

4. Click the relevant button in the message:

• Yes - To preserve the inherited permissions but break the link with the parent entity.
• No - To define unique permissions and break the link with the parent entity.

The entity's icon is decorated with a lock to indicate it is protected. The Recommended Users
and Groups list is updated accordingly.
5. Synchronize the system.

Removing Protection from Directories and Files

DatAdvantage enables you to change a permission flag from Protected to Inherited. This
means a link is created between the directory or file and its parent, and changes to the parent's
permissions affect the child. However, you may choose to preserve existing unique permissions
when you change a permission flag to Inherited.

To remove protection from a directory or file:

1. Select the Work Area.

2. Locate the relevant directory or file.
3. Right-click the directory or file, and from the context menu, select Remove Protection from
Directory. The following message is displayed:

You are about to remove the protection flag from this directory.
Do you want to leave existing unique permissions?

Note: Use this command for files as well.

4. Click the relevant button in the message:

• Yes - To preserve existing unique permissions but create a link with the parent entity.
• No - To let the directory inherit all permissions from the parent entity.

The lock decorating the entity's icon is removed. The Recommended Users and Groups list is
updated accordingly.
5. Synchronize the system.

DATADVANTAGE 6.3 USER GUIDE 211

Chapter 6     WORK AREA

Removing Non-Inherited Permissions from Directories and Files

DatAdvantage enables you to change a permission flag from Unique to Inherited. This means the
directory or file inherits all permissions from its parent.

To remove non-inherited permissions from a directory or file:

1. Select the Work Area.

2. Locate the relevant directory or file.
3. Right-click the directory or file, and from the context menu, select Remove Non-inherited
Permissions. The following message is displayed:

You are about to remove this directory's uniqueness. The directory

will inherit parent permissions that apply to child entities. Are
you sure?

Note: Use this command for files as well.

4. Click the relevant button in the message:

• Yes - To remove all unique permissions from the entity. Changes to the parent entity's
permissions affect the directory or file.
• No - To preserve unique permissions for the entity.

The person image decorating the entity's icon is removed. The Recommended Users and
Groups list is updated accordingly.
5. Synchronize the system.

Managing Users and Groups

Creating Groups
Before your first use of the Group Creation Wizard, configure the relevant settings on the Group
Creation tab in the Management Console. Only users with the Commit/Edit role can create groups.
To create a new group:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Select Account Management > Create Group.
The Group Creation Wizard is displayed.

DATADVANTAGE 6.3 USER GUIDE 212

Chapter 6     WORK AREA

4. On the New Group page of the wizard, set the following properties for the group you want to
create:
• Group path - Select the domain or OU in which to create the new group.
• Group name - Define a name for the new group.
• Group name (pre-Windows 2000) - If necessary, define the SAM account name for the
new group. Automatically populated when the Group name field is populated.
• Description - Enter a free-text description of the group, up to 1024 characters.
• Group scope - Determine the scope of the new group.

Note: This pane is only visible for Active Directory 2000 and higher.

• Domain local - A domain local group is a security or distribution group that can contain
universal groups, global groups, other domain local groups from its own domain, and
accounts from any domain in the forest. You can give domain local security groups
rights and permissions on resources that reside only in the same domain in which the
domain local group is located.
• Global - A global group is a group that can be used in its own domain, in member
servers and in workstations of the domain, and in trusting domains. In all those
locations, you can give a global group rights and permissions and the global group can
become a member of local groups. However, a global group can contain user accounts
that are only from its own domain.
• Universal - A universal group is a security or distribution group that contains users,
groups, and computers from any domain in its forest as members. You can give

DATADVANTAGE 6.3 USER GUIDE 213

Chapter 6     WORK AREA

universal security groups rights and permissions on resources in any domain in the
forest. Universal groups are not supported for Windows 2000.
• Group type - Determine whether the group is a security group or a distribution group.

Note: Since distribution groups cannot be granted permissions, the distribution

group option is only available if the wizard is started from the Recommended Users
and Groups pane.

5. Click Next.
The Members page is displayed.

6. To add members to the group, click Add and search for the required users in the Directory
Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

7. For advanced options in adding members to the group, click Advanced Options to open the
Directory Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

DATADVANTAGE 6.3 USER GUIDE 214

Chapter 6     WORK AREA

8. Use the functionality to search for users from other groups and then select one of the
following options in the Select which accounts are added area at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members to
the new group and will be shown in the Members pane in the Group Creation Wizard.
• All nested user and computer accounts - All user/computer members (direct and indirect)
are copied from the selected groups to the Members pane in the Group Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
9. To remove members, select them from the list and click Remove.

Note: If you click Back and change the group scope or type, the members you already
selected will be removed from the list.

10. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions
of users\groups that can not be added.

DATADVANTAGE 6.3 USER GUIDE 215

Chapter 6     WORK AREA

• Excluded Account - The name of the excluded user\group.

• Reason - The reason for the exclusion.

Note: Reasons for possible exclusion are:

• For groups - Group type mismatch or untrusted domain
• For users - A user from an untrusted domain, or a user cannot be added to global
and universal groups

To remove a user/group from the list, do as follows:

a. Select a user or group.

b. Click OK. The user or group is now removed from the Members window.
11. Click Next.
The Summary page is displayed.

DATADVANTAGE 6.3 USER GUIDE 216

Chapter 6     WORK AREA

12. After you have reviewed your work, click Execute to create the group.

Deleting Groups
You can delete groups from the Recommended Users and Groups pane, according to the
following guidelines:
• Only Active Directory and local host groups can be deleted.
• Abstract and built-in groups cannot be deleted.
• Rollback is not supported. Once a group is deleted, the same group with the same SID cannot
be recreated with the original permissions.

To delete a group:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Right-click the relevant group and select Account Management > Delete Group.
A confirmation dialog box is displayed.
4. In the confirmation dialog box, click the relevant button:
• Delete - Click to save the delete operation without committing the change to Active
Directory.
• Delete and Commit - Click to delete the group and commit the deletion right away to
Active Directory.
• This button is not available for groups that have never been committed to Active
Directory.
• If you close the Commit window without actually committing the deletion, you can
restore the group by right-clicking it and selecting Restore Group.

DATADVANTAGE 6.3 USER GUIDE 217

Chapter 6     WORK AREA

Adding Users to Groups

Note: You cannot add Azure Active Directory users to groups.

To add a user to a group:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Be sure the list is set to Parent view.
4. Locate the required group.
5. Right-click the group, and from the context menu, select Add Members. The Active Directory
Search dialog box is displayed.
6. Select the user you want to add to the group.
7. Synchronize the system.

Removing Users from Groups

To remove a user from a group:
1. Select the Work Area.
2. Select the Recommended Users and Groups pane on the right.
3. Be sure the list is set to Parent view.
4. Locate the required group.
5. Under the group, right-click the relevant user, and from the context menu, select Remove
Child. The user is marked with a red X.
6. Synchronize the system.

Restoring Relationships between Users and Groups

If you have removed a child object from a group but have not yet committed the change, you can
easily restore the relationship between the two entities.

To restore a relationship between a user and a group:

1. Locate the required child object.

2. Right-click the entity and select Restore Relationship.
3. Synchronize the system.

Restoring Recommendations to Remove Users from Groups

The Restore Recommendation procedure is used to reinstate a rejected recommendation from the
IDU Analytics engine to delete a user from a group.

To restore a recommendation to remove a user from a group:

1. Locate the required entity.

2. Right-click the entity and select Restore Recommendation.
The red negate icon is replaced by a red X. The recommendation to remove a user is
restored.
3. Synchronize the system.

DATADVANTAGE 6.3 USER GUIDE 218

Chapter 6     WORK AREA

Adding Group Membership to Users

To add a group to a user:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Be sure the list is set to Child view.
4. Locate the required user.
5. Right-click the user, and from the context menu, select Add Group Membership. The Active
Directory Search dialog box is displayed.
6. Select the group to be added to the user's definition.
7. Synchronize the system.

Removing Group Membership from Users

To remove group membership from a user:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Be sure the list is set to Child view.
4. Locate the required user.
5. Under the user, right-click the relevant group, and from the context menu, select Remove
Parent. The group is marked with a red X.
6. Synchronize the system.

Locating an Entity's Mailboxes

To locate the mailboxes related to a particular entity:

Note:
• This procedure cannot be performed on distribution groups.
• You cannot view the mailboxes of synchronized cloud users or groups if you have
selected to display only entities from the Azure domain in the Users & Groups pane. In this
case, to view the mailboxes related to a synchronized cloud user or group, you must first
locate the domain user or group. For more information, see Locating Domain Users and
Groups.

1. Select the Work Area.

2. In the relevant Users and Groups list, locate the entity whose mailbox you want to work with.
3. Right-click the entity and select Locate Mailboxes from the context menu.
The entity's mailboxes are displayed in the Directories pane.
4. Edit the permissions as necessary.
• The changes you make are marked in green and red, to indicate added and removed
permissions respectively.
• Each change you make automatically results in changes to other permissions in the virtual
sandbox.
5. Synchronize the system.

DATADVANTAGE 6.3 USER GUIDE 219

Chapter 6     WORK AREA

Locating Domain Users and Groups

You can locate the domain user or group of objects synchronized to Azure Active Directory. The
user or group is then identified and displayed as a domain object in the Users & Groups pane.

This procedure can be performed in order to retrieve the permissions or mailboxes of

synchronized cloud users and groups displayed in the Users & Groups pane. This option is
available only if you have selected to display only users or groups from the Azure domain in the
Users & Groups pane.

To locate a domain user or group:

1. Select the Work Area.

2. In the Users & Groups pane, right-click the relevant synchronized user or group. Synchronized
objects are marked as Synced.

Note: The user list must be filtered to display only users or groups from the Azure
domain. For instructions, see Viewing Azure Active Directory Objects in the Users &
Groups Pane.

3. To locate the domain user that was synchronized to Azure Active Directory, from the context
menu, select Locate Domain User.
4. To locate the domain group that was synchronized to Azure Active Directory, from the context
menu, select Locate Domain Group.
The domain user or group is identified and displayed in the Recommended Users & Groups
pane.

Creating a User Account

To create a user account:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Create User.
The Create User dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 220

Chapter 6     WORK AREA

3. Set all properties as required on each tab and click OK when finished.
4. Enter the credentials of the user authorized to perform the commit action.
5. Click OK.
The Action Processing dialog box is displayed.

6. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
7. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
8. Click Close.

DATADVANTAGE 6.3 USER GUIDE 221

Chapter 6     WORK AREA

Setting General User Properties

To set general user properties:

1. Select the General tab.

The General tab is displayed.

2. Click the Browse button next to the Path text box to select the organizational unit in which the
user will be created from the Organizational Unit dialog box.
The path is the organizational unit or domain in which the user is created.
3. Enter the user's first name.
4. Enter the user's last name.
5. Enter the user's initials (maximum 6 characters).
6. Enter the user's full name (mandatory field).
7. Enter the user's display name (maximum 20 characters).
8. Enter the user's logon name (mandatory field).
9. Enter the user's logon name (pre-Windows 2000). This is a mandatory field.
10. Enter the user's Email address.
11. If there are comments, enter them in the Description text box.

Setting User Account Properties

To set user account properties:

1. Select the Account tab.

The Account tab is displayed.

DATADVANTAGE 6.3 USER GUIDE 222

Chapter 6     WORK AREA

2. In the Password area, enter the user's password according to configured password policy.
a. Select Auto-generate Password if you want to use an automatically generated password.
b. To enter a password of your choice, select Type a Password. Enter and confirm the
password (mandatory fields).
c. Tick the User must change name at next logon checkbox to select this option.
d. Tick the User cannot change password checkbox to select this option.
e. Tick the Password never expires checkbox to select this option.
3. In the Account area, select the date on which the account expires.
a. If the account never expires, select Never.
b. If the account expires on a specific date, select End of and select the date from the
calendar.
4. Select the relevant options for configuring the account:
• Account is disabled
• Store password using reversible encryption
• Smart card is required for interactive logon
• Account is trusted for delegation (Win 2000/2003)
• Account is sensitive and cannot be delegated
• Use Kerberos DES encryption types for this account
• This account supports Kerberos AES 128-bit encryption (Win 2008, 2008R2 and higher)
• This account supports Kerberos AES 256-bit encryption (Win 2008, 2008R2 and higher)
• Do not require Kerberos pre-authentication

Defining Mailbox Settings

Note: This section applies to Exchange 2010 only.

DATADVANTAGE 6.3 USER GUIDE 223

Chapter 6     WORK AREA

Note: To enable creating mailboxes from within DatAdvantage, basic authentication must
be enabled on the Exchange server through the IIS manager. See Metadata Framework
Installation Guide for details.

To define mailbox settings:

1. Select the Mailbox Settings tab.

The Mailbox Settings tab is displayed.

2. In the Mailbox Settings pane, set the following:

• Create mailbox (Exchange 2010 only) - Select to create the new mailbox and define its
details.
• Exchange Server - Enter the name or IP address of the Exchange Server on which the
mailbox will be created. The Exchange Server and the user must reside in the same
domain.
• Alias - If needed, enter an alias for the user name (mail prefix) that was entered in the
General tab.
3. In the Database and Policies pane, set the following:
• Credentials - Click to enter the credentials required to retrieve mailbox policy information.
• Mailbox database - The database with which the mailbox is associated.
• Retention policy - The policy according to which the mailbox is archived.
• ActiveSync mailbox policy - The policy that determines whether the user can use
ActiveSync to connect and retrieve information from the mailbox.
• Address book policy - The policy that determines whether the user can connect to and
retrieve information from the address book.

DATADVANTAGE 6.3 USER GUIDE 224

Chapter 6     WORK AREA

4. In the Archive Settings pane, set the following:

• Do not create an archive - Select if you do not want to archive the mailbox.
• Create a local archive - Select this option to choose the database in which to install the
local archive. If it is not selected, the archive is installed in a random database.
• Archive mailbox database - The database in which the archive is created. This need not
be the same as the database in which the mailbox is installed.
5. Select Remember these settings as a default to start with these settings each time you create
a new mailbox.
6. Click OK.

Setting Additional User Properties

Define the values for additional properties.

To set additional user properties:

1. Select the Additional Properties tab.

The Additional Properties tab is displayed.

2. To add properties, open the Management Console and select Configuration > Active
Directory Properties.

Setting Group Membership

The user must have a Primary Group defined.

The Domain users group is added automatically and set as the Primary Group. It is possible to set
a different group as the Primary Group if you want to remove the original one.

DATADVANTAGE 6.3 USER GUIDE 225

Chapter 6     WORK AREA

Note: There is no need to change the Primary Group unless you have Macintosh clients or
POSIX-compliant applications. Only a Domain group whose scope is global or universal can
be set as the Primary Group.

To add a user to a group:

1. Select the Member Of tab.

The Member Of tab is displayed.

Note: A path must be configured on the General tab. The path is the organizational unit
or domain in which the user will be created.

2. To add the required groups, click Add to select the group from the dialog box.
The group is added to the group list.
3. To remove a group, select the group and click Remove.

Editing a User Account

To edit a user account:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the user and select Account Management > Edit.
The Edit User dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 226

Chapter 6     WORK AREA

3. Select the tab and make the necessary changes. Enter all required properties.
4. Click OK.
5. Enter the credentials of the user authorized to perform the commit action.
6. Click OK.
The Action Processing dialog box is displayed.

7. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped

DATADVANTAGE 6.3 USER GUIDE 227

Chapter 6     WORK AREA

8. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
9. Click Close.

Copying a User Account

To copy a user account:

1. In the Recommended Users and Groups pane, right-click the entity.

2. Select Account Management > Copy.
The Copy User dialog box is displayed.

3. Select each tab in turn and enter the necessary information. See the instructions for the other
tabs for more information.
4. On the Member Of tab, click Remove All Recommendations
5. Click OK.
6. Enter the credentials of the user authorized to perform the commit action.
7. Click OK.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 228

Chapter 6     WORK AREA

8. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
9. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
10. Click Close.

Creating Groups
Before your first use of the Group Creation Wizard, configure the relevant settings on the Group
Creation tab in the Management Console. Only users with the Commit/Edit role can create groups.
To create a new group:

1. Select the Work Area.

2. Select the Recommended Users and Groups pane on the right.
3. Select Account Management > Create Group.
The Group Creation Wizard is displayed.

DATADVANTAGE 6.3 USER GUIDE 229

Chapter 6     WORK AREA

4. On the New Group page of the wizard, set the following properties for the group you want to
create:
• Group path - Select the domain or OU in which to create the new group.
• Group name - Define a name for the new group.
• Group name (pre-Windows 2000) - If necessary, define the SAM account name for the
new group. Automatically populated when the Group name field is populated.
• Description - Enter a free-text description of the group, up to 1024 characters.
• Group scope - Determine the scope of the new group.

Note: This pane is only visible for Active Directory 2000 and higher.

• Domain local - A domain local group is a security or distribution group that can contain
universal groups, global groups, other domain local groups from its own domain, and
accounts from any domain in the forest. You can give domain local security groups
rights and permissions on resources that reside only in the same domain in which the
domain local group is located.
• Global - A global group is a group that can be used in its own domain, in member
servers and in workstations of the domain, and in trusting domains. In all those
locations, you can give a global group rights and permissions and the global group can
become a member of local groups. However, a global group can contain user accounts
that are only from its own domain.
• Universal - A universal group is a security or distribution group that contains users,
groups, and computers from any domain in its forest as members. You can give

DATADVANTAGE 6.3 USER GUIDE 230

Chapter 6     WORK AREA

universal security groups rights and permissions on resources in any domain in the
forest. Universal groups are not supported for Windows 2000.
• Group type - Determine whether the group is a security group or a distribution group.

Note: Since distribution groups cannot be granted permissions, the distribution

group option is only available if the wizard is started from the Recommended Users
and Groups pane.

5. Click Next.
The Members page is displayed.

6. To add members to the group, click Add and search for the required users in the Directory
Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

7. For advanced options in adding members to the group, click Advanced Options to open the
Directory Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

DATADVANTAGE 6.3 USER GUIDE 231

Chapter 6     WORK AREA

8. Use the functionality to search for users from other groups and then select one of the
following options in the Select which accounts are added area at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members to
the new group and will be shown in the Members pane in the Group Creation Wizard.
• All nested user and computer accounts - All user/computer members (direct and indirect)
are copied from the selected groups to the Members pane in the Group Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
9. To remove members, select them from the list and click Remove.

Note: If you click Back and change the group scope or type, the members you already
selected will be removed from the list.

10. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions
of users\groups that can not be added.

DATADVANTAGE 6.3 USER GUIDE 232

Chapter 6     WORK AREA

• Excluded Account - The name of the excluded user\group.

• Reason - The reason for the exclusion.

Note: Reasons for possible exclusion are:

• For groups - Group type mismatch or untrusted domain
• For users - A user from an untrusted domain, or a user cannot be added to global
and universal groups

To remove a user/group from the list, do as follows:

a. Select a user or group.

b. Click OK. The user or group is now removed from the Members window.
11. Click Next.
The Summary page is displayed.

DATADVANTAGE 6.3 USER GUIDE 233

Chapter 6     WORK AREA

12. After you have reviewed your work, click Execute to create the group.

Add Members of An Existing Group to Another Existing

Group
This feature enables users to add the members of another group as its members (either its direct
members or all nested users\computers).

1. From the Recommended Users and Groups pane, right-click the group to which you want
to add the members of another group as members, and select Account Management >
Advanced Membership.
The Directory Services Search dialog box is displayed.
2. Use the functionality to search for users from other groups and then select one of the
following options in the Select which accounts are added area at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members to
the group in the the Recommended Users and Groups pane.
• All nested user and computer accounts - All user/computer members (direct and indirect)
are copied from the selected groups to the group in the Recommended Users and Groups
pane.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the group in the Recommended
Users and Groups pane.
3. Click OK when done.

DATADVANTAGE 6.3 USER GUIDE 234

Chapter 6     WORK AREA

Deleting User and Computer Accounts

There are two methods for deleting user and computer accounts:
• Through the Account Management button
• Through the context menu

Deleting Users and Computers through the Account Management Button

Deleting Users and Computers through the Account Management Button

To delete accounts through the Account Management button:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Delete User/Computer.
The Delete User/Computer dialog box is displayed.

3. Select the relevant option:

a. To select a user account from the Directory Services Search dialog box, click Select
accounts and click the Browse button.
b. To select multiple user accounts from a CSV file, click Import accounts list from and click
the Browse button.

Note: Characters are case-sensitive.

CSV files take the following format:

• Record format: Domain\User logon name (pre-Windows 2000).
• Records must be delimited by a new line.
• The domain name may be in either FQDN or NetBIOS format.
• The LDAP property name of User logon name (pre-Windows 2000) is the SAM
Account name.
4. Click Yes to proceed.
5. Enter the credentials of the user authorized to perform the commit action.
6. Click OK.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 235

Chapter 6     WORK AREA

7. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
8. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
9. Click Close.

Deleting User and Computer Accounts through the Context Menu

To delete accounts through the context menu:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the chosen entities and select Account Management > Delete User/Computer.
A confirmation message is displayed.

Note: When selecting multiple entities, it is possible that not all entities are valid for this
action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

3. Click Yes.
4. Enter the credentials of the user authorized to perform the commit action.
5. Click Yes.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 236

Chapter 6     WORK AREA

6. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
7. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
8. Click Close.

Resetting Passwords
There are two methods for resetting a password:
• Through the Account Management button
• Through the context menu

Resetting Passwords through the Account Management Button

To reset a password through the Account Management button:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Reset Password.
The Reset Password dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 237

Chapter 6     WORK AREA

3. Select the relevant option:

a. To select a user account from the Directory Services Search dialog box, click Select
accounts and click the Browse button.
b. To select multiple user accounts from a CSV file, click Import accounts list from and click
the Browse button.

Note: Characters are case-sensitive.

CSV files take the following format:

• Record format: Domain\User logon name (pre-Windows 2000).
• Records must be delimited by a new line.
• The domain name may be in either FQDN or NetBIOS format.
• The LDAP property name of User logon name (pre-Windows 2000) is the SAM
Account name.
4. Enter the user's password according to configured password policy.
a. Select Auto-generate Password if you want to use an automatically generated password.
b. To enter a password of your choice, select Type a Password. Enter and confirm the
password (mandatory fields).
5. Tick the User must change password at next logon checkbox to select this option.
6. Tick the Unlock the user's account checkbox to select this option.
7. Click OK.
8. Enter the credentials of the user authorized to perform the commit action.
9. Click OK.
The Action Processing screen is displayed.

DATADVANTAGE 6.3 USER GUIDE 238

Chapter 6     WORK AREA

10. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
11. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
12. Click Close.

Resetting Passwords through the Context Menu

To reset a password through the context menu:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the chosen entities and select Account Management > Reset Password.
The Reset Password dialog box is displayed.

3. Enter the user's password according to configured password policy.

a. Select Auto-generate Password if you want to use an automatically generated password.
b. To enter a password of your choice, select Type a Password. Enter and confirm the
password (mandatory fields).

DATADVANTAGE 6.3 USER GUIDE 239

Chapter 6     WORK AREA

4. Select one or both of the following options:

• Tick the User must change password at next logon checkbox to select this option.
• Tick the Unlock the user's account checkbox to select this option.
5. Click OK.

Note: When selecting multiple entities, it is possible that not all entities are valid for this
action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

6. Enter the credentials of the user authorized to perform the commit action.
7. Click OK.
The Action Processing screen is displayed.

8. To filter the processing results, select the relevant option:

• All
• Successful
• Failed
• Skipped
9. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
10. Click Close.

Unlocking User Accounts

There are two methods for unlocking user accounts:
• Through the Account Management button
• Through the context menu

DATADVANTAGE 6.3 USER GUIDE 240

Chapter 6     WORK AREA

Unlocking User Accounts through the Account Management Button

To unlock user accounts through the Account Management button:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Unlock.
The Unlock User dialog box is displayed.

3. Select the relevant option:

a. To select a user account from the Directory Services Search dialog box, click Select
accounts and click the Browse button.
b. To select multiple user accounts from a CSV file, click Import accounts list from and click
the Browse button.

Note: Characters are case-sensitive.

CSV files take the following format:

• Record format: Domain\User logon name (pre-Windows 2000).
• Records must be delimited by a new line.
• The domain name may be in either FQDN or NetBIOS format.
• The LDAP property name of User logon name (pre-Windows 2000) is the SAM
Account name.
4. Click OK.
5. Enter the credentials of the user authorized to perform the commit action.
6. Click OK.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 241

Chapter 6     WORK AREA

7. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
8. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
9. Click Close.

Unlocking User Accounts through the Context Menu

To unlock user accounts through the context menu:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the chosen entities and select Account Management > Unlock.
The Unlock User dialog box is displayed.

Note: When selecting multiple entities, it is possible that not all entities are valid for this
action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

3. Click OK.
4. Enter the credentials of the user authorized to perform the commit action.
5. Click Yes.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 242

Chapter 6     WORK AREA

6. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
7. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
8. Click Close.

Disabling and Enabling Entities

There are two methods for disabling and enabling users and computers:
• Through the Account Management button
• Through the context menu

Disabling and Enabling Entities through the Account Management Button

To disable or enable users or computers through the Account Management button:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Disable/Enable.
The Disable/Enable Account dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 243

Chapter 6     WORK AREA

3. Select the relevant option:

a. To select a user account from the Directory Services Search dialog box, click Select
accounts and click the Browse button.
b. To select multiple user accounts from a CSV file, click Import accounts list from and click
the Browse button.

Note: Characters are case-sensitive.

CSV files take the following format:

• Record format: Domain\User logon name (pre-Windows 2000).
• Records must be delimited by a new line.
• The domain name may be in either FQDN or NetBIOS format.
• The LDAP property name of User logon name (pre-Windows 2000) is the SAM
Account name.
4. Select Disable or Enable and click OK.
5. Enter the credentials of the user authorized to perform the commit action.
6. Click OK.
The Action Processing dialog box is displayed.

7. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
8. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
9. Click Close.

DATADVANTAGE 6.3 USER GUIDE 244

Chapter 6     WORK AREA

Disabling and Enabling Entities through the Context Menu

To disable or enable users and computers through the context menu:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the chosen entities and select Account Management > Disable/Enable.
The Disable/Enable Account dialog box is displayed.

Note: When selecting multiple entities, it is possible that not all entities are valid for this
action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

3. Select Disable or Enable and click OK.

4. Enter the credentials of the user authorized to perform the commit action.
5. Click Yes.
The Action Processing dialog box is displayed.

6. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
7. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
8. Click Close.

DATADVANTAGE 6.3 USER GUIDE 245

Chapter 6     WORK AREA

Moving Entities
There are two methods for moving entities:
• Through the Account Management button
• Through the context menu

Entities can only be moved to another location within their current domain.

Moving Entities through the Account Management Button

To move users, computers and groups through the Account Management button:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Select Account Management > Move.
The Move Account dialog box is displayed.

3. Select the relevant option:

a. To select a user account from the Directory Services Search dialog box, click Select
accounts and click the Browse button.
b. To select multiple user accounts from a CSV file, click Import accounts list from and click
the Browse button.

Note: Characters are case-sensitive.

CSV files take the following format:

• Record format: Domain\User logon name (pre-Windows 2000).
• Records must be delimited by a new line.
• The domain name may be in either FQDN or NetBIOS format.
• The LDAP property name of User logon name (pre-Windows 2000) is the SAM
Account name.
4. Select the name of the Target Organizational Unit from the Browse button.
5. Click OK.
6. Enter the credentials of the user authorized to perform the commit action.
7. Click OK.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 246

Chapter 6     WORK AREA

8. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
9. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
10. Click Close.

Moving Entities through the Context Menu

To move users, computers and groups through the context menu:

1. Select the Existing Users and Groups pane on the left, or the Recommended Users and
Groups pane on the right.
2. Right-click the chosen entities select Account Management > Move.
The Move Account dialog box is displayed.

Note: When selecting multiple entities, it is possible that not all entities are valid for this
action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

3. Select the target Organizational Unit from the Browse button.

4. Enter the credentials of the user authorized to perform the commit action.
5. Click OK.
The Action Processing dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 247

Chapter 6     WORK AREA

6. To filter the processing results, select the relevant option in the Filter by area:
• All
• Successful
• Failed
• Skipped
7. To export the processing results to a CSV file, click the Export to CSV button on the right and
select the required export path.
8. Click Close.

About Synchronization
To conserve resources, the effects of manual changes are not automatically calculated across
the system. This means that changes remain visible, but the sandbox is not updated and no error
calculation occurs.

However, you can choose to synchronize your manual changes as necessary. The synchronization
process implements the manual changes in the virtual environment, so that erroneous
recommendations and the explanations provided in the Directories pane for removing permissions
are up to date.

When the system is not synchronized, the Status bar displays a message saying "Calculate Access

Errors".

In addition, the Errors pane does not display the most updated information.

Synchronizing Recommendations
To synchronize changes in the system:

1. On the Status bar, click the Calculate Access Errors message.

The Calculation of Access Errors dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 248

Chapter 6     WORK AREA

2. Click the Calculate button. The synchronization process begins.

Note: Synchronization may take several minutes.

3. To refresh the Directories pane, double-click the entity that was changed.

Synchronizing Ownership with DataPrivilege

The synchronization engine enables maintaining complete synchronization between
DatAdvantage and DataPrivilege. The engine ensures that all managed objects and their owners
are copied to DataPrivilege, including all relevant configuration settings for domains and file
servers. If a domain or file server does not exist in DataPrivilege, the synchronization creates it.

DataPrivilege objects and owners are also synchronized to DatAdvantage for monitored
resources. However, if a file server managed in DataPrivilege does not exist in DatAdvantage,
the synchronization engine does not create it in DatAdvantage since this would require a full
installation procedure.

Synchronization is performed automatically in the following cases:

• Immediately after changes are made (added or removed) to entity ownership
• After the DatAdvantage pull job is run
• According to the schedule you define

However, if the previous synchronization ended with errors or conflicts, it may be necessary to
execute the Synchronization process manually.

To synchronize entity ownership with DataPrivilege:

1. Access the Ownership wizard:

• To synchronize multiple owners and entities, select Tools > Manage Ownership.
• To synchronize individual owners or entities, right-click the relevant owner or entity and
select Manage Ownership.
2. In the Ownership wizard, click Background Synchronization. The owners or entities are
synchronized with DataPrivilege.

DATADVANTAGE 6.3 USER GUIDE 249

Chapter 6     WORK AREA

About Synchronization and DataPrivilege Base Folders

A problem can occur if you have previously installed both DatAdvantage and DataPrivilege. If
base folders are defined separately in the two products and then the products are synchronized,
it may happen that the synchronization process tries to make a directory defined as a base folder
either the parent or the child of another directory defined as a base folder. Since by definition
a base folder must be the root and cannot have another base folder as its parent or child, the
synchronization process stops with an error.

If this happens, you must manually change one of the base folders so that it is no longer defined
as a base folder, and rerun the synchronization process.

About the Errors Pane

Sometimes IDU Analytics recommends that a user's permissions to a directory or file be removed,
but the user later accesses the entity. This means the recommendation to remove permissions
was made in error. That is, IDU Analytics has recommended removing a user's rights to files and
directories to which the user actually needs access. Such errors can also occur if an administrator
manually removes rights that are needed by a user or group.

By default, IDU Analytics looks back 120 days to make recommendations (this can be configured at
installation).

The Errors pane can be grouped by the following:

• Directory or file
• User or group
• Error Time - The time at which the error occurred (that is, the time at which the user or group
accessed the directory or file despite an existing recommendation to remove permissions).
• Removal cause - The reason why the error occurred.

Use the list as a reference to determine which rights can be removed without impacting on users'
ability to access the data they need in order to do their work.

Immediately after IDU Analytics runs, no errors due to analysis are listed. If user behavior changes
between analyses, the unexpected behavior is reflected in the error list. Over time, the analysis
becomes more accurate as additional user behavior data is processed by subsequent runs of
IDU Analytics. This means the number of analysis errors (as opposed to manual editing errors)
decreases.

The system must be synchronized so that the Errors pane displays the most updated information.

Note: The tactical errors calculation is based on statistics collected for the previous IDU
Analytics period. If the statistics archive policy is shorter than the IDU Analytics period, then
the tactical errors calculation will be based only on statistics that are not archived.

DATADVANTAGE 6.3 USER GUIDE 250

Chapter 6     WORK AREA

Working with the Expected Access Errors Pane

DatAdvantage generates an access error on a user/computer in case an editing command
removes the user's permissions to a specific folder. This can be either the direct permission or the
user's membership in a group with the specified permission. This action will cause users to lose
permissions based on their performed events.

Note:
If the removed permission has not been used by any event performed by the user during the
most recent IDU Analytics-defined period of time, no error will be generated.

Error details include:

• The current permission based on the existing set.
• The recommended permissions based on the admin set.
• The permissions required for the user based on the events performed during the most
recent IDU Analytics-defined period of time.

To work with the Expected Access Errors pane:

1. Select the Work Area or the Review Area.

2. In the Expected Access Errors pane, the erroneous recommendations are displayed.

Note: In the Review Area, the Expected Access Errors pane is automatically filtered by
the selected object.

3. Use DatAdvantage's standard sorting and grouping functions to locate the data you need
quickly.
4. To view recommended permissions for entities, double-click the relevant directory or file in
the Errors tab to display the recommended permissions in the Directories pane.
5. Accept or reject the recommendations as required.

Note: If the Remove protection without unique permissions and Add protection with
copy permissions from parent commands are created on a folder together, only the
remove permission commands related to actual removed permissions are displayed. The
add permission commands that result from the add protection action are not seen. The

DATADVANTAGE 6.3 USER GUIDE 251

Chapter 6     WORK AREA

error is calculated only if the total effective permissions resulting from the remove and
add protection commands are not enough based on the events.

6. Refer to the following:

• File Server - The file server where the folder to which the user has access errors resides.
• Access Path - The path of the folder or the special file to which the user has an access
error.
• User/Computer - The name of the user/computer that has access errors to the folder.
• Current Effective Permissions - The current effective permission the user has on the
folder in Existing Set.
• Recommended Effective Permissions - The effective permission that the user has on the
folder in the Admin Set based on either all the commands in the Admin Set.
• Missing Permission Required by Events - The aggregated effective permission that is
required to the users based on the events they recently performed, and will no longer
be able to perform because of the editing commands (the caused error) affecting the
permissions of the folder/file.
• Change Source - Change the sources by opening the Permission Sources window.
• Time of Error - The date and time when the access error was calculated (based on IDU
server time).

Fixing Directory Errors

To repair recommendation errors on a particular directory, the Group Creation wizard creates a
new group with maximal permissions for all entities having errors (users and computers). Only
users with the Commit/Edit role can create groups.

To fix recommendation errors for a directory:

1. Do one of the following:

• In the Work Area or Review Area, in Expected Access Errors, click Fix Directory Errors.
• In the Directories pane, right-click a folder having errors and select Auto-fix
Recommendation Errors.

The Group Creation Wizard is displayed.

DATADVANTAGE 6.3 USER GUIDE 252

Chapter 6     WORK AREA

2. On the New Group page of the wizard, set the following properties for the group you want to
create:
• Group path - Select the domain or OU in which to create the new group.
• Group name - Define a name for the new group.
• Group name (pre-Windows 2000) - If necessary, define the SAM account name for the
new group. Automatically populated when the Group name field is populated.
• Description - Enter a free-text description of the group, up to 1024 characters.
• Group scope - Determine the scope of the new group.

Note: This pane is only visible for Active Directory 2000 and higher.

• Domain local - A domain local group is a security or distribution group that can contain
universal groups, global groups, other domain local groups from its own domain, and
accounts from any domain in the forest. You can give domain local security groups
rights and permissions on resources that reside only in the same domain in which the
domain local group is located.
• Global - A global group is a group that can be used in its own domain, in member
servers and in workstations of the domain, and in trusting domains. In all those
locations, you can give a global group rights and permissions and the global group can
become a member of local groups. However, a global group can contain user accounts
that are only from its own domain.
• Universal - A universal group is a security or distribution group that contains users,
groups, and computers from any domain in its forest as members. You can give

DATADVANTAGE 6.3 USER GUIDE 253

Chapter 6     WORK AREA

universal security groups rights and permissions on resources in any domain in the
forest. Universal groups are not supported for Windows 2000.
• Group type - Determine whether the group is a security group or a distribution group.

Note: Since distribution groups cannot be granted permissions, the distribution

group option is only available if the wizard is started from the Recommended Users
and Groups pane.

3. Click Next.
The Fix Errors page is displayed.

4. To add members to the group, click Add and search for the required users in the Directory
Services Search dialog box.

Note: The entities available for selection are determined by the group scope you
defined earlier.

5. For advanced options in adding members to the group, click an option:

• Add members from other groups - (this option will only display groups) opens the Directory
Services Search dialog box.

DATADVANTAGE 6.3 USER GUIDE 254

Chapter 6     WORK AREA

Use the functionality to search for users from other groups and then select one of the
following options in the Select which accounts are added area at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members
to the new group and will be shown in the Members pane in the Group Creation
Wizard.
• All nested user and computer accounts - All user/computer members (direct and
indirect) are copied from the selected groups to the Members pane in the Group
Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
• Add users or groups with existing permissions - opens the Users/Groups with Existing
Permissions dialog box and displays current existing permissions on the selected folder.

DATADVANTAGE 6.3 USER GUIDE 255

Chapter 6     WORK AREA

Select the users and groups from the Available Entities area for display in Selected
Entities. Select one of the following options in the Select which accounts are added area
at the bottom:
• All selected accounts - All objects in Selected Entities will be added as direct members
to the new group and will be shown in the Members pane in the Group Creation
Wizard.
• All nested user and computer accounts - All user/computer members (direct and
indirect) are copied from the selected groups to the Members pane in the Group
Creation Wizard.
• Only the selected groups' first level child members - All selected users and direct group
members directly under the selected groups are copied to the Members pane in the
Group Creation Wizard.
6. To remove members, select them from the list and click Remove.

Note: If you click Back and change the group scope or type, the members you already
selected will be removed from the list.

7. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions
of users\groups that can not be added.

DATADVANTAGE 6.3 USER GUIDE 256

Chapter 6     WORK AREA

• Excluded Account - The name of the excluded user\group.

• Reason - The reason for the exclusion.

Note: Reasons for possible exclusion are:

• For groups - Group type mismatch or untrusted domain
• For users - A user from an untrusted domain, or a user cannot be added to global
and universal groups

To remove a user/group from the list, do as follows:

a. Select a user or group.

b. Click OK. The user or group is now removed from the Members window.
8. Click Next.
The Permissions page is displayed.

DATADVANTAGE 6.3 USER GUIDE 257

Chapter 6     WORK AREA

9. Select the required Allow and Deny permissions.

10. To define special permissions and advanced settings, click Advanced. The Advanced
Security Properties dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 258

Chapter 6     WORK AREA

a. To add a permission entry to the entity, click Add and define the permissions as relevant.
b. To edit an existing permission entry:
1. Click Edit. The Permission Entry For dialog box is displayed.

2. From the Apply to drop-down list, select the objects to which the permissions will be
applied.
3. To apply these permissions to objects or containers within the current container,
select the relevant checkbox at the bottom of the dialog box.

DATADVANTAGE 6.3 USER GUIDE 259

Chapter 6     WORK AREA

4. To clear all permissions, select Clear All.

5. Click OK.
c. To remove a permission entry, select the relevant entry and click Remove.
d. Click OK.
The Advanced Security Properties dialog box is closed.
11. In the bottom pane, review the users and groups that will receive a different set of
permissions than what was previously granted them on the folder. Local members with errors
are excluded from the member list if the group path is set to a domain or an OU, not to the
required local host.
a. To remove a member from the new group, select the member and click Remove.
b. To remove all the members from the bottom pane, click Remove All.
c. To recalculate the members having errors that will receive different permissions, click
Restore List.
12. Click Next.
The Summary page is displayed.

13. After you have reviewed your work, click Execute to create the group.
14. Select the Commit these changes option to commit the changes immediately and click Finish.
15. (Optional) Commit the changes.

Note: You may be required to provide your credentials before the Commit dialog box is
displayed.

DATADVANTAGE 6.3 USER GUIDE 260

7 REVIEW AREA

The Review Area enables you to review the effects of the manual or recommended changes to
permissions on actual user activity. Use this view to test "what if" scenarios, prior to applying the
changes to the domain.

Sometimes IDU Analytics recommends that a user's permissions to a directory or file be removed,
but the user later accesses the directory. This means the recommendation to remove permissions
was made in error. That is, IDU Analytics has recommended removing a user's rights to files and
directories to which the user actually needs access. If the removal of permission were applied to
the domain, the user's work would be disrupted by the lack of permissions.

DatAdvantage identifies these errors by applying the modified permission set to past user
activity and examining the results. When a user's access to a resource would be denied due to a
recommended change in the user's permissions, the denial is flagged as an error and displayed in
both the Review Area and the Work Area.

Use the Review Area to identify such errors and eliminate them prior to applying changes to the
domain, to avoid potential disruption to work.

Before you begin to work with the Review Area, it is recommended that you synchronize the
system.

Note: Directory service permissions are not visible in the Review Area.

The Review Area comprises the following panes:

• Directories
• Graph
• Recommended Users and Groups
• Errors and Editing History

DATADVANTAGE 6.3 USER GUIDE 261

Chapter 7     REVIEW AREA

Understanding the Review Area

DatAdvantage displays permissions in this view in a number of ways, depending on whether the
entity you select (the current active entity) is a user, group or directory.

Current Active Permission Indications

Entity

Recommended Graph pane - Displays the following permissions for the

user or group selected user or group on the selected directory or file, in
the form of a pie chart:

• Unused - The percentage of directories the user or

group did not access during the time period that was
analyzed. Color-coded yellow.
• Denied - The percentage of directories to which the
user or group would have been denied access during
the time period that was analyzed. Color-coded red.
• Accessed - The percentage of directories the user
or group accessed during the time period that was
analyzed. Color-coded green.
• Added - The percentage of directories to which the
user's or group's permissions were added during the
time period that was analyzed. Color-coded light blue.
• Removed - The percentage of directories to which the
user's or group's permissions were removed during
the time period that was analyzed. Color-coded gray.
Directories pane - Permissions on directories are color-
coded in the same way as the graph.

DATADVANTAGE 6.3 USER GUIDE 262

Chapter 7     REVIEW AREA

Current Active Permission Indications

Entity

Directory Graph pane - Displays user and group permissions for

the selected directory, with the same options and color-
coding as described above.
Recommended Users and Groups pane - Permissions are
color-coded in the same way as the graph.

Viewing Permission Status

The procedure for viewing permissions is the same throughout the Review Area.

To view the status of permissions a user or group has for a specific directory:

1. Select the Review Area.

2. In the Directories pane, locate the relevant entity.
3. In the Recommended Users and Groups list, locate the required entity.
4. Double-click the name of the relevant entity. The entity's permissions are displayed.

Synchronizing Recommendations
To synchronize changes in the system:

1. On the Status bar, click the Calculate Access Errors message.

The Calculation of Access Errors dialog box is displayed.

DATADVANTAGE 6.3 USER GUIDE 263

Chapter 7     REVIEW AREA

2. Click the Calculate button. The synchronization process begins.

Note: Synchronization may take several minutes.

3. To refresh the Directories pane, double-click the entity that was changed.

Working with the Expected Access Errors Pane

DatAdvantage generates an access error on a user/computer in case an editing command
removes the user's permissions to a specific folder. This can be either the direct permission or the
user's membership in a group with the specified permission. This action will cause users to lose
permissions based on their performed events.

Note:
If the removed permission has not been used by any event performed by the user during the
most recent IDU Analytics-defined period of time, no error will be generated.

Error details include:

• The current permission based on the existing set.
• The recommended permissions based on the admin set.
• The permissions required for the user based on the events performed during the most
recent IDU Analytics-defined period of time.

To work with the Expected Access Errors pane:

1. Select the Work Area or the Review Area.

2. In the Expected Access Errors pane, the erroneous recommendations are displayed.

Note: In the Review Area, the Expected Access Errors pane is automatically filtered by
the selected object.

DATADVANTAGE 6.3 USER GUIDE 264

Chapter 7     REVIEW AREA

3. Use DatAdvantage's standard sorting and grouping functions to locate the data you need
quickly.
4. To view recommended permissions for entities, double-click the relevant directory or file in
the Errors tab to display the recommended permissions in the Directories pane.
5. Accept or reject the recommendations as required.

Note: If the Remove protection without unique permissions and Add protection with
copy permissions from parent commands are created on a folder together, only the
remove permission commands related to actual removed permissions are displayed. The
add permission commands that result from the add protection action are not seen. The
error is calculated only if the total effective permissions resulting from the remove and
add protection commands are not enough based on the events.

6. Refer to the following:

• File Server - The file server where the folder to which the user has access errors resides.
• Access Path - The path of the folder or the special file to which the user has an access
error.
• User/Computer - The name of the user/computer that has access errors to the folder.
• Current Effective Permissions - The current effective permission the user has on the
folder in Existing Set.
• Recommended Effective Permissions - The effective permission that the user has on the
folder in the Admin Set based on either all the commands in the Admin Set.
• Missing Permission Required by Events - The aggregated effective permission that is
required to the users based on the events they recently performed, and will no longer
be able to perform because of the editing commands (the caused error) affecting the
permissions of the folder/file.
• Change Source - Change the sources by opening the Permission Sources window.
• Time of Error - The date and time when the access error was calculated (based on IDU
server time).

Viewing Edit History

The Editing History tab displays the history of all changes made to permissions or group
membership during the time period that was analyzed.

DATADVANTAGE 6.3 USER GUIDE 265

Chapter 7     REVIEW AREA

To view the history of changes to permissions:

1. Select the Review Area.

2. In the bottom pane, select the Editing History tab. The history of changes to permissions is
displayed.

3. Use DatAdvantage's standard sorting and grouping functions to locate the data you need
quickly.

DATADVANTAGE 6.3 USER GUIDE 266

8 STATISTICS VIEW

The Statistics view allows you to review the cumulative data collected by the DatAdvantage Probe.

At the end of each day, DatAdvantage generates the information required to view statistics. The
data is available for viewing the day after the events were recorded and collected, and remains
available for direct access until it is archived.

The Statistics view comprises the following panes:

• Directories
• Users and Groups
• Search
• Graphs

Generating Statistics for Resources

Use the Resources drop-down list to view information regarding the resource you selected for
monitoring. The displayed statistics include all the events for the resource, for the specified
timeframe.

1. Select the Statistics view.

2. Select the Resources drop-down list.
3. In the Resources drop-down list, locate the resource for which you want to view statistics.
4. In the Calendar area, select Graph or Table, depending on the type of output you want to
view.

DATADVANTAGE 6.3 USER GUIDE 267

Chapter 8     STATISTICS VIEW

Generating Resource Statistics for Activity By Date

This chart displays the activity per day for a selected resource. Use it to identify overall usage
patterns, as well as days with unusual activity that require further investigation.

To view statistics on activities according to a particular date:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed.
3. To focus on a single day, click that day's column in the chart. The date selection changes to
display only that day, enabling you to select users, directories and files to continue reviewing
the day's activity.
Graph view:

Table view:

Generating Resource Statistics for Directory Utilization

This chart represents the number of events on each entity, including its subdirectories and special
files.
To view statistics on average directory utilization:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Directory Utilization tab. The Directory Utilization chart is
displayed.

DATADVANTAGE 6.3 USER GUIDE 268

Chapter 8     STATISTICS VIEW

3. Click each directory or file to drill down and view its utilization.
• The directories and files are displayed are from all the volumes of the selected resource.
They are not categorized into volumes, as they are in the Directory pane displayed in the
Work Area.
• The current directory or file is displayed at the top of the chart as the Parent Directory or
File.
• If you cannot click a directory, no further drill-down is possible. This occurs either because
there are no subdirectories, or because no events were logged for any subdirectory.
• Color-coding indicates the entity type:
• Yellow - Current directory
• Purple - Subdirectories
• Blue - Special files
4. Click the Back button at the top left of the chart to return to a higher level.
Graph view:

Table view:

Generating Resource Statistics for User Utilization

This chart provides a view of events per user for the selected timeframe, filtered by default to the
top 10 most active users. The chart displays only users, not groups. Use this chart to easily identify

DATADVANTAGE 6.3 USER GUIDE 269

Chapter 8     STATISTICS VIEW

abnormal user behavior. Your attention should be drawn to users with unexpectedly high event
counts.
To view statistics on user utilization:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the User Utilization tab.
The User/Group Utilization chart is displayed, filtered by default to the top 10 most active
users.
3. In the filter area, do the following:
a. Select Ascending or Descending to sort the users as required.
b. Use the Up and Down arrows to select the number of users you want to view.
4. Click a user to drill down and create user statistics, as if the user were selected in the Users &
Groups pane.
Graph view:

Table view:

Generating Resource Statistics for Inactive Users

This chart provides a view of the period of greatest inactivity, per user, for the past seven days.

DATADVANTAGE 6.3 USER GUIDE 270

Chapter 8     STATISTICS VIEW

To view statistics on inactive users:

• In the center pane, click the Inactive Users tab. The Inactive Users chart is displayed.

Graph view:

Table view:

Generating Resource Statistics for Least Active Users

This chart provides a view of the percentage of users (filtered by default to the top 10 least active
users) that had no activity in comparison to all users in the domain.

To view statistics on least active users:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Least Active Users tab. The Least Active Users chart is
displayed, filtered to the top 10 least active users.
3. In the filter area, use the Up and Down arrows to select the number of users you want to
view.
4. Click a user to drill down and create user statistics, as if the user were selected in the Users &
Groups pane.
Graph view:

DATADVANTAGE 6.3 USER GUIDE 271

Chapter 8     STATISTICS VIEW

Table view:

Generating Resource Statistics for Unmanaged Directories and Resources

This chart provides a view of the managed directories and resources having the most activity
compared to unmanaged directories and resources. It includes the number of events at the first
subdirectory level beneath the selected level.

To view activity statistics for unmanaged directories and resources:

• In the center pane, click the Activity on Unmanaged Directories and Resources tab. The
Activity on Unmanaged Directories and Resources chart is displayed.

Graph view:

DATADVANTAGE 6.3 USER GUIDE 272

Chapter 8     STATISTICS VIEW

Table view:

Generating Statistics for Directories

The Directory pane enables you to focus on the activity on a specific directory or file, based on
dates, subdirectories and users. If you identify activity that requires further examination, use the
Users Accessed chart or Log view to retrieve the required information.
1. Select the Statistics view.
2. Select the Directories pane.
3. In the Directories pane, locate the directory or file for which you want to view statistics.
4. In the Calendar area, select Graph or Table, depending on the type of output you want to
view.

Generating Directory Statistics for Activity By Date

This chart displays the activity for a directory or file on the specified day. Use it to identify overall
usage patterns, as well as days with unusual activity that require further investigation. Access to
the directory, its subdirectories and files is differentiated by color.

DATADVANTAGE 6.3 USER GUIDE 273

Chapter 8     STATISTICS VIEW

To view statistics on activities according to a particular date:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed.
3. To focus on a single day, click that day's column in the chart. The date selection changes to
display only that day, enabling you to select users, directories and files to continue reviewing
the day's activity.
Graph view:

Table view:

Generating Directory Statistics for Subdirectories

This chart is similar to the Directory Utilization chart at the resource level, in that it displays the
distribution of events between subdirectories within the current directory.

For Exchange resources, the chart displays bars for the selected resource's mailbox store and
public folders. With drill-down through the mailbox store, the bars display the same alphabetical
grouping that is used in the Directories pane. Further drill-down displays the actual mailboxes.

To view statistics on subdirectories:

1. Select the Statistics view.

2. In the center pane, click the Subdirectories Statistics tab. The Subdirectories Statistics chart
is displayed.
3. To focus on a single day, click that day's column in the chart. The date selection changes to
display only that day, enabling you to select users, directories and files to continue reviewing
the day's activity.

DATADVANTAGE 6.3 USER GUIDE 274

Chapter 8     STATISTICS VIEW

Graph view:

Table view:

Generating Directory Statistics for User Access

This chart displays the distribution of users accessing the directory or file under review. The color-
coded pie chart displays the percentage of events for each user.

To view statistics on user access:

1. Select the Statistics view.

2. In the center pane, click the User Access tab. The User Access chart is displayed.
3. For slices labeled X%-Y% of events (instead of a user's name), click the slice to drill down to
more detailed pie charts displaying the slice's activity breakdown.
A small chart on the left displays the current chart as an inset of the chart one level above.
4. To return to the main chart, click Back.
Graph view:

DATADVANTAGE 6.3 USER GUIDE 275

Chapter 8     STATISTICS VIEW

Table view:

Generating Directory Statistics for Inactive Users

This chart provides a view of the period of greatest inactivity, per user, for the past seven days.

To view statistics on inactive users:

• In the center pane, click the Inactive Users tab. The Inactive Users chart is displayed.

Graph view:

Table view:

DATADVANTAGE 6.3 USER GUIDE 276

Chapter 8     STATISTICS VIEW

Generating Directory Statistics for Least Active Users

This chart provides a view of the percentage of users that had no activity in the directory in
comparison to all users in the domain.

To view statistics on least active users:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Least Active Users tab. The Least Active Users chart is
displayed, filtered to the top 10 least active users.
3. In the filter area, use the Up and Down arrows to select the number of users you want to
view.
4. Click a user to drill down and create user statistics, as if the user were selected in the Users &
Groups pane.
Graph view:

Table view:

DATADVANTAGE 6.3 USER GUIDE 277

Chapter 8     STATISTICS VIEW

Generating Directory Statistics for Inactive Directories

This chart indicates the number of directories and subdirectories with no activity compared to
selected directories. Only top-level directories of inactive branches are calculated. The number of
subdirectories in each appears in parentheses ( ).

To view statistics on inactive users:

• In the center pane, click the Inactive Directories tab. The Inactive Directories chart is
displayed.

Graph view:

Table view:

Generating Directory Statistics for Managed Folders

This chart provides a view of the managed directories having the most activity, compare to the
unmanaged folders, and includes the number of events at the first subdirectory level beneath the
selected level.

To view activity statistics for managed folders:

• In the center pane, click the Activity on Managed Folders tab. The Activity on Managed
Folders chart is displayed.

Graph view:

DATADVANTAGE 6.3 USER GUIDE 278

Chapter 8     STATISTICS VIEW

Table view:

Generating Statistics for Users and Groups

The Users and Groups pane enables you to focus on the activity of a specific user or group, based
on dates, directories, files and group membership.
1. Select the Statistics view.
2. Select the Users and Groups pane.
3. In the Users and Groups pane, locate the entity (user or group) for which you want to view
statistics.
4. In the Calendar area, select Graph or Table, depending on the type of output you want to
view.

Generating User and Group Statistics for Activity By Date

This chart for users and groups is similar to the other activity history charts, in that it displays the
activity for a given user or group per day. Use this chart to identify overall usage patterns, as
well as days with unusual activity that require further investigation. Access to the directory, its
subdirectories and files is differentiated by color.

To view statistics on activities according to a particular date:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed.
3. To focus on a single day, click that day's column in the chart. The date selection changes to
display only that day, enabling you to select users, directories and files to continue reviewing
the day's activity.

DATADVANTAGE 6.3 USER GUIDE 279

Chapter 8     STATISTICS VIEW

Graph view:

Table view:

Generating User and Group Statistics for Directory Utilization

This chart is similar to the Directory Utilization chart at the Resource level, in that it displays the
distribution of events between subdirectories and files within the current directory.
To view statistics on average directory utilization:

1. Select the relevant resource and generate statistics for it.

2. In the center pane, click the Directory Utilization tab. The Directory Utilization chart is
displayed.
3. 2. Click a directory to drill down for further information regarding utilization of each
subdirectory or file.
Graph view:

DATADVANTAGE 6.3 USER GUIDE 280

Chapter 8     STATISTICS VIEW

Table view:

Generating User and Group Statistics for User Activity

This chart displays the distribution of users accessing the directory or file under review. The color-
coded pie chart displays the percentage of events for each user. This chart is only available for
groups.

To generate statistics for users and groups:

• In the center pane, click the User Activity tab. The User Activity Folders chart is displayed.

Graph view:

DATADVANTAGE 6.3 USER GUIDE 281

Chapter 8     STATISTICS VIEW

Table view:

Jumping to Other Views from the Statistics View

DatAdvantage enables you to move easily from the Statistics view to another view, while
maintaining your focus on a specific entity. For example, you might want to see the events log for
a particular user after you notice that user's behavior in the Statistics view. You can move quickly
to the user's events log without having to search for him or her in the Logs view.

If you jump to the Logs view, the log is automatically loaded with the relevant filters, so that it
reflects the events that comprise the selected graph portion.

BEST PRACTICE: It is important to emphasize that Varonis recommends you always start with
the Statistics view, identify the interesting information, and then drill down to the required log.
This provides the best system performance, and is the best workflow for smart usage of logs for
auditing purposes.

To jump to another view from the Statistics view:

1. While you are working in the Statistics view, right-click the bar or pie slice for the entity in
question. A context menu is displayed, listing the views to which you can jump.

2. Select the required view. DatAdvantage jumps to that view, while maintaining focus on the
entity with which you are working.

DATADVANTAGE 6.3 USER GUIDE 282

Chapter 8     STATISTICS VIEW

About Ownership Management Through the Statistics View

The Statistics view enables ownership management as follows:
• Owners can be set automatically for the directories and groups for which statistics are
displayed, but only if entity usage statistics exist for both the user to be defined as owner and
the directory or group in question.
• If information is missing for either the user or the entity, ownership can be managed through
the Ownership wizard. It cannot be set automatically.

Note: This has no relevance for directory service probing.

Setting Owners Automatically

To set an owner automatically:

1. From the Users and Groups pane or the Directories pane, select the group or the directory for
which you want to set an owner.
2. In the Graphs pane, select User Activity. A pie chart indicating usage per user is displayed.

3. Right-click the pie slice for the user you want to set as owner. A context menu is displayed.
4. Select Set Ownership. A confirmation message is displayed, asking you to confirm setting the
selected user as owner of the selected entity.
5. Click Yes. The user is set as the entity's owner

Drill-down Operations for Statistics

DatAdvantage enables you to move easily from the Statistics view to the related log in the Logs
view, by right-clicking the relevant chart segment in the Statistics view.

DATADVANTAGE 6.3 USER GUIDE 283

Chapter 8     STATISTICS VIEW

Object Graph Segment Query Limitations

Resource Activity by date Date/segment Events on Cannot be

bar selected grouped by
resources on day of week
selected time-
period bar Jump only to
the Logs view

Directory Directory bar Events

utilization where dirID =
selected

Subdirectories Events where Jump only to

bar accessPath the Logs view
like 'selected\
%'

User utilization User bar Events on

selected
resources for
selected SID

Inactive users N/A

Least active N/A

users

Directory Activity by Selected Events Cannot be

Date directory bar where dirID = grouped by
selected day of week.

Subdirectories Events where Jump only to

bar accessPath the Logs view
like 'selected\
%'

Subdirectory Directory bar Events

statistics where dirID =
selected

Subdirectories Events where Jump only to

bar accessPath the Logs view
like 'selected\
%'

DATADVANTAGE 6.3 USER GUIDE 284

Chapter 8     STATISTICS VIEW

Object Graph Segment Query Limitations

User access User slice Events where Not available

accessPath for group
like selected slices
and sidID =
selectedSlice

Inactive Users N/A

Lease active N/A

users

Inactive N/A
Directories

Group Activity by date Date/segment Events on Cannot be

bar selected grouped by
resources on day of week
selected time-
period bar, for Jump only to
the selected the Logs view
group

Directory Directory bar Events

utilization where dirID
= selected
and group=
selected

Subdirectories Events where Jump only to

bar accessPath the Logs view
like 'selected\
%' and group =
selected

User activity User slice Events on Not available

selected for group
resource(s) slices
and sidID =
selectedSlice

User Activity by date Date/segment Events on Cannot be

bar selected grouped by
resources on day of week
selected time-
period bar, for Jump only to
the selected the Logs view
user

DATADVANTAGE 6.3 USER GUIDE 285

Chapter 8     STATISTICS VIEW

Object Graph Segment Query Limitations

Directory Directory bar Events

utilization where dirID
= selected
and userID=
selected

Subdirectories Events where Jump only to

bar accessPath the Logs view
like 'selected\
%' and userID =
selected

DATADVANTAGE 6.3 USER GUIDE 286

9 LOGS VIEW

The Logs view enables you to browse and search the event logs from all the monitored resources
for a specific day, down to the level of a single event.

The Logs view comprises the following panes:

• Log
• Directories pane
• Users and Groups pane
• Search pane

Viewing Logs
You can view the logs based on the entity you selected in the Entity Selection pane as follows:
• Resource - Displays all the events for a given resource.
• Directory - Displays all the events for a directory, subdirectories and files.
• OU - Displays all the events for a given OU.
• User or group - Displays the events for a specific user or group.

To view a log:

1. Select the Logs view.

2. From the relevant pane, locate the entity whose log you want to view.
3. Double-click the entity. The entity's data is loaded into the Search pane.

Note: You may use only the Search and Advanced Search options if you want, without
first selecting an entity.

DATADVANTAGE 6.3 USER GUIDE 287

Chapter 9     LOGS VIEW

4. In the Search pane, set the value of the criterion you want to search by. Options are:
• When did the event occur? - Select the time frame in which the event occurred. If you
select Today, you must first synchronize events (select Tools > Log > Synchronize Latest
Events).

Note: It is not recommended to select Today as your time frame, as it may produce
limited results and the synchronization process may have a negative effect on
performance.

• Where did the event occur? - Select the resources you want to search in.
• What type of even occurred? - Select the checkboxes of the operations you are interested
in.
• Who generated the event? - Click the Browse button to select users you are interested in.
• Directory filters
• Which object was accessed? - Click the Browse button to select a specific folder, file,
user or group. Select the Search in child objects checkbox as necessary.
• Which files were accessed? - Type the names of specific files you are interested in. Use
a comma (,) to separate names.
• Mail-related filters - Only for Exchange mailboxes
• Which user received the email? - Type the email address of the mail recipient you are
interested in.
• Who sent the mail? - Type the name of the mail sender you want to search for.
• Which file was attached? - Type the name of the file that was attached to the mail
message.
• What is the event item type? - Select the type of mailbox event you are interested in.
5. To define more complex criteria, click Advanced Search and define the search string
as required. Any criteria you have already defined in the simple search are populated
automatically in the advanced search. See Advanced Searching.
• Computer accounts do not appear in any of the pickers. To search for a computer account,
type the name of the computer in the relevant user filter.

Note: For a complete description of all available filters, see DatAdvantage and Sub-
Products Filters.

6. To save your search criteria or load a saved search, click Save/Load Query Definitions and
then select either Save or Load, as relevant.
7. When you are done setting search criteria, click the Search button. The relevant log file is
displayed in the bottom pane. For information on all columns that can be displayed in the log,
see Log Columns.
8. To navigate the log:
• Click Retrieve 200 More to view another 200 records.

Important: This button retrieves the records at random, without regard to the first,
last, next, sorted sets, data source (i.e., resource), etc. Each time the button is clicked,

DATADVANTAGE 6.3 USER GUIDE 288

Chapter 9     LOGS VIEW

it retrieves another set of records at random, increasing the number of results by

200. For example, if you click the button once, 200 random records are retrieved. If
you click it again, an entirely different set of 400 records is retrieved.

• Click Retrieve All to view all the records in the log (this may take some time).
• Use the Up and Down arrows next to the Page field to move to the required page of the
log.
• Use the Up and Down arrows for the Records per page field to set the number of records
displayed on each page of the log.
9. To view the log data for a single event, double-click the event's row in the log. The Event
Details window is displayed, showing the event's data on the General tab.

Note: The Event Details window shows information on all columns in the log. To add or
remove log columns, see Adding and Removing Log Columns.

10. To view changes made to Group Policy Object (GPO) settings, select the GPO Changes tab.
The GPO Changes tab is displayed, showing the GPO setting changes.

Note: The GPO Changes tab is displayed only if GPO settings for that event were
modified.

DATADVANTAGE 6.3 USER GUIDE 289

Chapter 9     LOGS VIEW

Adding and Removing Log Columns

To add or remove log columns:

1. Do one of the following:

a. From the toolbar, click Edit Columns.
b. In the log pane, right-click the title row.
A list of all available columns is displayed.

2. To add a column, click a column that is not selected.

The column is added to the log and the column list is closed.
3. To remove a column, click a selected column.
The column is removed from the log and the column list is closed.

Note: The log must always include at least one column.

DATADVANTAGE 6.3 USER GUIDE 290

Chapter 9     LOGS VIEW

Log Columns
You can customize which columns are included in logs (for more information, see Adding and
Removing Log Columns).

You can also change the order in which the columns are displayed, sort columns, and group
columns as required. For more information, see Working with Lists and Tables. Display
preferences are automatically saved in the user's profile.

The following table describes all columns and column types that can be included in the log:

Column Name Description

Affected Group The scope of affected groups.

Scope

Affected Group The type of the affected group.

Type

Affected Share The full path of the share.

Path

Changed • Audit events and history of differences events - The change

Permission that occurred.
• If a folder's protection or ownership was changed, this column
is empty.

Changed • The permission flags that were changed.

Permission Flags • If a folder's protection or ownership was changed, this column
is empty.

Commit Process The ID of the process in which the change was committed.
ID

Device IP The IP address of the user from which the event originated.
Address

Device Name The resolved hostname of the Device IP from which the event
originated.

Event Count The number of times a single event was logged. For example, if the
same file was opened by the user several times in a single day, this
field displays the total number of identical events.

Event Description A detailed description of the event.

Event ID The unique identifier of events occurring on the same ACL.

DATADVANTAGE 6.3 USER GUIDE 291

Chapter 9     LOGS VIEW

Column Name Description

Event Operation Indicates what happened during the event. Also indicates access
denied events, that is, events that failed because the user did not
have sufficient permission.

Note: Events may be marked incorrectly as access denied in

the following cases:
• Folder access- When a folder is opened, an Open
request is triggered for all the files within the folder. If file
permissions are different from the folder's permissions, a
false access denied event is recorded. A single event is
presented for all the files within the folder.
• Missing events - If a file requires both Write and Read
permissions in order to open it, access denied events are
not recorded for the file's Open events.
• Events generated by the operating system or installed
application - The operating system or installed
applications may generate events that are marked as
Open events. For example, Windows opens image files to
support its thumbnail functionality.
These false positives are filtered by default, to minimize
"noise" as much as possible.

Note: Access events that are denied due to lack of share

permissions are not recorded.

Event Status Indicates whether the event was successful or not.

Event Time The time, as configured on the file server, at which the event
occurred.

Event Type The type of operation performed on the entity.

File Server/ The name of the file server or domain on which the event
Domain occurred.

File Type Indicates the file type, if known.

Includes Guest Files in SharePoint Online that have a guest link.

Link

Inherited Indicates whether the change in permissions was inherited.

Permission
Change

Last Occurrence The last time the event was logged.

DATADVANTAGE 6.3 USER GUIDE 292

Chapter 9     LOGS VIEW

Column Name Description

Number of The number of nested files contained in a deleted folder.

Nested Files in
Deleted Folder

Object The display name of the object on which the event occurred.

Object Type The type of object on which the event occurred, which can be:
• File
• Folder
• Group
• User

Operation By The name of the user who performed the event.

Operation Source The source of the event, which can be:

• Log - User events
• History - Differences retrieved by FileWalk and ADWalk

Path The path name of the accessed object. For directory service
objects, this is the distinguished name.

Permissions After • Audit events - The permissions that existed on the object
Change following the change.
• History of differences events - This column is empty.

Permissions • Audit events - The permissions that existed on the object prior
Before Change to the change.
• History of differences events - This field is empty.

Shared Externally Files, folders and sites in SharePoint Online that are shared with
external users.

Size of Deleted Filters according to the specified size of deleted folders.

Folder (in MB)

Trustee • The name of the user (in the format Domain\Username) that
was granted permission.
• The column is empty if a folder's protection was changed in a
Protection Added or Protection Removed event.
• The name of the new owner (in the format Domain\Username) if
ownership was changed in an Owner Changed event.

DATADVANTAGE 6.3 USER GUIDE 293

Chapter 9     LOGS VIEW

Column Name Description

Trustee Account Indicates the type of account for which permissions have changed
Type (i.e., a user, group or a computer).

UTC Time The UTC time at which the event occurred.

Account By default, the following columns can be added to the log:

Management
Note: Separate columns can be added for acting object and
affected object.

• Account with Expiration Date - The name of an account on

which an expiration date has been set.
• Disabled Stale Account - The name of an account that is both
disabled and stale.
• Enabled Stale Account - The name of an account that is
enabled but stale.
• Enabled User with Account about to Expire - The name of a
user that is enabled, but whose account is about to expire.
• Enabled User with Expired Passwords - The name of a user that
is enabled, but whose password has expired.
• Enabled User with Password about to Expire - The name of a
user that is enabled, but whose password is about to expire.
• Locked-out User - The name of a user who is locked out of the
system.
• Stale Account - The name of an account that is stale.
• User with Expired Passwords - The name of a user whose
password has expired.
• User with Password that Never Expires - The name of a user
whose password never expires.

DATADVANTAGE 6.3 USER GUIDE 294

Chapter 9     LOGS VIEW

Column Name Description

AD Properties By default, the following Active Directory properties can be added

as columns to the log:

Note: Separate columns can be added for acting object and

affected object.

• AccountExpires - The date when the account expires.

• Company - The user's company name.
• CountryCode - Specifies the country/region code for the user's
language of choice.
• CountryName - The country/region in the address of the user.
• CurrentLocation - The computer location for an object that has
moved.
• Department - The name of the department in which the user
works.
• description - The description to display for an object.
• Disabled Accounts - The name of disabled user and group
accounts, as set in Active Directory
• Display Name - The display name for an entity.
• Division - The user's division.
• Domain Name - The domain name of the entity that performed
the event.
• Email - The email of the entity, as defined in Active Directory
• givenName - The given name (first name) of the user.
• initials - The initials for parts of the user's full name.
• ipPhone - The TCP/IP address for the phone.
• LastLogonTimestamp - The time at which the user last logged
into the domain.
• LDAP path - The path of the LDAP server.
• LocalityName - Represents the name of a locality, such as a
town or city.
• Location - The user's location, such as office number.
• LockoutTime - The date and time (UTC) at which an account
was locked out.
• Logon Name - The user's logon name.
• managedBy - The distinguished name of the user that is
assigned to manage this object.
• manager - The distinguished name of the user who is the user's
manager.
• Manager Name - The name of the user's manager
• mobile - The primary mobile phone number.
• msDS-isGC - Identifies the state of the Global Catalog on the
DC.
• msDS-isRODC - Shows whether a DC is an RODC.
• msDS-SiteName - Lists the site name that corresponds to the
DC.
• msDs-supportedEncryptionTypes - The encryption algorithms
supported by user, computer or trust accounts.
• name - The relative distinguished name (RDN) of an entity.
• ObjectGuid - The unique identifier for an object.

DATADVANTAGE 6.3 USER GUIDE 295

Chapter 9     LOGS VIEW

Column Name Description

• Operating System - The Operating System name, such as

Windows X.
• Operating System Service Pack - The operating system service
pack ID string (for example, SP3).
• Operating System Version - The operating system version
string, for example, 4.0.
• OU Name - The name of the organizational unit to which the
entity belongs.
• OU Path - The entity's position in the specified OU hierarchy.
• Personal Title - The user's title.
• Primary User Address - The user's primary mailing address.
• primaryGroupID - Contains the relative identifier (RID) for the
primary group of the user.
• Profile path - Specifies a path to the user's profile. This value
can be a null string, a local absolute path, or a UNC path.
• PwdLastSet - The date and time at which the password for the
account was last changed.
• sn - The last name (surname) of a user.
• Telephone Number - The primary telephone number.
• TextCountry - The country/region in which the user is located.
• title - Contains the user's job title. This property is commonly
used to indicate the formal job title, such as Senior
Programmer, rather than occupational class, such as
programmer. It is not typically used for suffix titles such as Esq.
or DDS.
• User Type - The type of user account
• userPrinicpalName - An Internet-style login name for a user
based on the Internet standard RFC 822.
• WhenCreated - The date on which the object was created.

Note: Additional AD properties can be defined in the

Configuration window and then added as columns.

DATADVANTAGE 6.3 USER GUIDE 296

Chapter 9     LOGS VIEW

Column Name Description

Azure AD By default, the following Azure Active Directory properties can be

Properties added as columns to the log:

Note: Separate columns can be added for acting object and

affected object.

• Azure blockCredential - Indicates whether or not the user can

log on to Azure Active Directory using the user ID.
• Azure cloudExchangeRecipientDisplayType
• Azure isBlackberryUser - Indicates whether or not the user has
a BlackBerry device.
• Azure isLicensed - Indicates whether or not the user has
licenses assigned.
• Azure isSystem
• Azure lastDirSyncTim - The date and time of the last directory
synchronization (returned from users synced through Active
Directory Domain Services synchronization).
• Azure licenseReconciliationNeeded
• Azure liveId - The user's unique login ID.
• Azure ObjectID - The user's unique ID.
• Azure overallProvisioningStatus
• Azure passwordResetNotRequiredDuringActivate - Indicates
whether or not a password must be reset when activated.
• Azure preferredLanguage - The user's preferred language.
• Azure softDeletionTimestamp
• Azure strongAuthenticationProofupTime
• Azure strongPasswordRequired
• Azure stsRefreshTokensValidFrom
• Azure userLandingPageIdentifierForO365Shell
• Azure userThemeIdentifierForO365Shell
• Azure userType - The type of user.
• Azure validationStatus
• externalUserShareSentToEmailAdress
• externalUserSignInEmailAddress
• Is Azure External User

Classification The following columns can be added to the log:

• Classification Results - The files and folders having classification
results.
• Total Hit Count - The number of times a rule returns a result on
a file.
• Total Hit Count (Inc. subfolders) - The sum of all results returned
for all folders and subfolders that are identified by classification
rules.

DATADVANTAGE 6.3 USER GUIDE 297

Chapter 9     LOGS VIEW

Column Name Description

Follow Up The following columns can be added to the log:

• Global Flags on Acting Object - Global flags defined for the
acting object
• Global Flags on Affected Object - Global flags defined for the
affected object
• Notes on Acting Object - Notes defined for the acting object
• Notes on Affected Object - Notes defined for the affected
object
• Tags on Acting Object - Tags defined for the acting object
• Tags on Affected Object - Tags defined for the affected object

FS Properties The following columns can be added to the log:

• Access Date - The date on which the file system object was
accessed
• Create Date - The date on which the file system object was
created
• Exchange Domain - The Exchange domain on which the event
occurred
• File Count - The number of files the folder contains, not
including files in subfolders
• FS Owner - The file system owner of the object
• Modify Date - The date on which the object was modified
• Number of Files in Subfolders - The number of files contained in
subfolders, not including files residing directly under the folder
• Number of Nested Files - The number of files the folder
contains, including all files in all subfolders
• Number of Nested Folders - The number of subfolders the
folder contains
• Physical Size of Folder (in MB)
• Physical Size of Folder and Subfolders (in MB)
• Resource Type
• Size of Folder (in MB) - The size of the folder, without
subfolders, in megabytes
• Size of Folder and Subfolders (in MB) - The total size of the
folder in megabytes, including all subfolders
• Size of Subfolders (in MB) - The total size of all the subfolders
contained in the folder, in megabytes
• Total Number of Nested Objects - The number of nested
folders and files

DATADVANTAGE 6.3 USER GUIDE 298

Chapter 9     LOGS VIEW

Column Name Description

Mail Properties The following columns can be added to the log: (Only available for
Exchange resources.)
• Attachment Name - The name of a file (if any) that was attached
to the mail
• Exchange Client Type - The type of client used to access the
mailbox
• Mail Date - The date on which the mail was sent
• Mail Item Type - The mail type, such as mail message, accept
meeting, and task
• Mail Recipients - The email addresses of the users who
received the mail
• Mail Source - The email address of the user that sent the mail
• Mail Access Type - The type of user who accessed the mailbox,
which can be:
• Owner - The mailbox owner
• Non owner - All users except the mailbox owner

Exporting Log Results

To export the log results to an Excel spreadsheet:

1. On the toolbar, click Export Results.

The Save As dialog box is displayed.
2. Save the spreadsheet.

Saving Log Results

To save the log results to an Excel spreadsheet:

1. On the toolbar, click Save/Load > Save.

The Save As dialog box is displayed.
2. Save the log as necessary.

Loading Log Results

To load a log into the UI for viewing:

1. On the toolbar, click Save/Load > Load.

The Open dialog box is displayed.
2. Select the required log and click OK.

Printing Logs
To print a log:

1. On the toolbar, click Print.

2. To preview the log, select Print Preview.
3. To print the log, select Print.

DATADVANTAGE 6.3 USER GUIDE 299

Chapter 9     LOGS VIEW

Minimizing and Maximizing the Query Pane

To minimize or maximize the query pane:

• On the toolbar, click Minimize Query or Maximize Query as relevant.

Jumping to Report 1.a.01

After you define filters for the log, you can jump to report 1.a.01 and use those filters to quickly
create a template or subscription. When you jump to report 1.a.01 from the Log View, the defined
filters are automatically loaded into the report's Filters pane.

Note: This function is available only to users who have the Report View role. In addition,
those having the Enterprise Managers, System Administrator, Power User or Users roles can
generate alerts from the Log view if they also have the DatAlert Configuration role.

To jump to report 1.a.01:

1. Define the required Advanced Search criteria, or load a DatAlert rule.

2. On the toolbar, click Jump to Report 1.a.01.
Report 1.a.01 is displayed, with all the filters loaded that you defined in the Log View.

DATADVANTAGE 6.3 USER GUIDE 300

10 ALERTS VIEW

DatAdvantage tracks the number of access events generated by each user on a daily basis.
Access events include, among other actions, opening, creating, deleting, and moving (renaming)
files or directories.

Each night, DatAdvantage calculates the daily average for each user's access events over the
previous 60 days (the time period is configurable), as well as the standard deviation of each user's
daily access events. If, on any given day, the total number of a user's access events "spikes," or is
greater than that user's daily average by more than a multiple (coefficient, by default=3) of his or
her standard deviation, and the user exceeded the threshold (by default = 10,000), DatAdvantage
generates an alert, which is displayed in the Alerts view.

The severity of an alert is dictated by the number of consecutive days on which the alert was
generated for the specific user. That is, if a user creates an alert three days in a row, one alert is
written with a severity of 3. The maximum severity is set to 8.

Example
When the alerts settings are configured as follows:
• Alert utilization coefficient - set to 3
• Alert utilization threshold - set to 1,000
• Alert configuration period - set 4 days

and the user generates the following events:

• Day 1 - 1,000 events
• Day 2 - 1,050 events
• Day 3 - 1,100 events
• Day 4 - 1,150 events

If on day 5 the user generates 1,300 events, DatAdvantage generates an alert because the user
exceeded his or her daily average by 3.5 times the standard deviation (greater than the set Alert
utilization coefficient) and created more than 1,000 events (greater than the set Alert utilization
threshold).

The Alerts view comprises the following panes:

• Calendar
• Alerts List
• Activity By Date

DATADVANTAGE 6.3 USER GUIDE 301

Chapter 10     ALERTS VIEW

Viewing Alerts
To view alerts:

1. Select the Alerts view.

2. Set the required timeframe.
3. In the Resources drop-down list, locate the resource for which you want to view statistics.
4. Double-click the resource you want to review. Alternatively, click the Search button in the
Calendar pane. Alerts for the specified timeframe are displayed.

DATADVANTAGE 6.3 USER GUIDE 302

Chapter 10     ALERTS VIEW

Alerts provide the following information:

• Type - The entity for which the alert was generated. Possible types:
• User
• Group
• Entity Name - The name of the entity for which the alert was generated.
• Alert Type - The type of alert.
• Alert Name - The name of the alert.
• Start Date - The date on which the unusual behavior began.
• End Date - The date on which the unusual behavior ended.
• Severity - The severity of the unusual behavior.
5. Use DatAdvantage's standard sorting and grouping functions to locate the data you need
quickly.
6. In the Activity By Date pane, click the column for a specific date to view information for that
day.

DATADVANTAGE 6.3 USER GUIDE 303

Chapter 10     ALERTS VIEW

7. Use the Alerts report subscription option to receive regular reports regarding alerts in your
system.

About Alert Analysis

DatAdvantage creates a baseline of normal activity for each user. Therefore, most alerts deserve
investigation. There are several causes for spikes in user activity. Any of these (and many other)
examples may cause an alert in DatAdvantage:
• A user or administrator has modified the permissions on a directory and all the files and
subfolders within that directory.
• A user or administrator has copied a large number of files to or from the server.
• An automated process has been executed with a user account, such as a batch process, an
indexer service, a worm or other malware.

DatAdvantage typically generates a handful of alerts each day, which can usually be investigated
in a short period of time. When you do your daily review of the DatAdvantage alerts, it is helpful to
double-click each alert to determine the following:
• Was the alert generated by a privileged or administrative account?
• Was the activity deviation thousands or tens of thousands of events?

If the answer to either or both of these questions is yes, the alert probably deserves investigation.

DATADVANTAGE 6.3 USER GUIDE 304

Chapter 10     ALERTS VIEW

Analyzing Alerts
To analyze an alert:

1. Click the bar corresponding to the day on which the alert was generated to jump to the
Statistics view. The directories that were accessed are displayed.
2. Check the Logs view for additional information. The Logs view displays the files that were
accessed, and indicates whether they were opened, deleted, moved, and so on.

Inappropriate Access
While DatAdvantage makes identifying the technical cause of a usage spike simple, it can
sometimes be more difficult to discern whether the activity was appropriate or inappropriate,
well-intentioned or otherwise. Until clear policies and processes concerning appropriate
and inappropriate access are created, distributed, and reviewed, it is usually best to adopt a
methodology similar to the following:
1. Determine a list of directories containing critical or sensitive files, and the parties responsible
for them (that is, their owners).
2. Agree on a process to handle alerts concerning sensitive data with the data owners. This
might include notification, generation of activity reports, and so on.
3. When an alert arises concerning sensitive data, follow the agreed upon process.
4. When a user or administrator account generates an alert on any other (non-sensitive) data
and the cause is unknown or not easily discernible, ask the user or administrator in question if
they know what might have caused a spike in his or her activity.
5. If the cause still cannot be determined and the pattern is repeated, consider asking the user
to change his or her password.

DATADVANTAGE 6.3 USER GUIDE 305

11 REPORTS VIEW

The Reports view enables you to define reports to be sent periodically (or only once) by email,
or be stored on a file system share. You can also view reports online, and store snapshots of
important reports. This view comprises the following panes:
• Reports List
• My Subscriptions
• Viewer - Includes the following panes:
• Search conditions
• Help display
• Table view

For a complete description of all reports available in DatAdvantage, see Metadata Framework
Reports.

About the Reports List

The Reports List is an interactive list of reports, along with both predefined and customized
templates. You can:
• Filter the list
• Set simple search criteria to find reports quickly
• Show and hide report categories
• Group and sort the reports list by any list header
• Expand and collapse the grouped list

Finding Reports in the Reports List

DatAdvantage provides dozens of useful reports to enable complete visibility into your data.

Set search criteria to find reports according to the following guidelines:

• In the Find Report field, type the terms by which you want to search. The search is carried out
on the following fields:
• Template name
• Template description
• ID column (even if the view mode is not set to Hide Categories)
• Report name
• Report category
• The search is not case-sensitive.
• Use a plus sign (+) to search for more than one term. For example, searching everyone +
permissions returns all reports that include both everyone and permissions.

DATADVANTAGE 6.3 USER GUIDE 306

Chapter 11     REPORTS VIEW

• The categories and reports in the results are fully expanded following your search, regardless
of other view options you may have set.
• To reload the full report list, click the X in the Find Report field or delete the input you entered.

Using the Reports List

To use the Reports List:

1. Group and sort the list as necessary according to standard DatAdvantage procedures (see
Working with Lists and Tables).
2. To expand or collapse the grouped, sorted list, right-click a category and select Expand All
Groups or Collapse All Groups, as relevant.

3. To hide the report categories and view all report templates as a flat list, select View > Hide
Categories.
• A flat list is displayed, regardless of other grouping, sorting or search criteria you may have
set.
• To show report categories again, clear this option.

DATADVANTAGE 6.3 USER GUIDE 307

Chapter 11     REPORTS VIEW

Accessing the DatAdvantage Operational Log

The DatAdvantage Operational Log, report 8.b.01, provides complete visibility into activities
performed within DatAdvantage itself. There are two ways to access the log:
• Select Tools > DatAdvantage Operational Log. Report 8.b.01 is opened in the report viewer.
• Go to the Reports view and find report 8.b.01 in the Reports List.

After you have accessed the DatAdvantage Operational Log, you can customize a template for it
or create a subscription to it according to standard DatAdvantage procedures.

About Report Templates

DatAdvantage enables users with certain roles to define and customize report templates as
necessary, so that they can create the most useful reports quickly and easily.

With report templates, authorized users can start with a predefined template, and then:

• Set the default filters and filter values you want for the template.
• Choose the columns to be displayed in the report, based on:
• Directory service (Active Directory) properties
• File system properties
• Other available columns
• Set sorting and grouping options.
• Choose the look and feel of reports.
• Select predefined themes, including your own customized themes
• Use a custom logo in generated reports
• Set various display options for the selected columns.

Upgrade
During upgrade, subscriptions that were created before templates were introduced or customized
are updated accordingly, such that new templates are created that include the relevant
customizations.

DATADVANTAGE 6.3 USER GUIDE 308

Chapter 11     REPORTS VIEW

Roles
The following roles can customize report templates:
• Enterprise managers
• System administrators
• Users with the Reports view-based role

Creating Report Templates

To create a report template:

1. Select the Reports view.

2. Locate the required report in the Reports List.
3. Click the name of the report. The report is displayed in the Viewer.

4. Set filtering, column options and display options as necessary.

5. To run the report, click Run Report.
6. To save your template along with the filter you defined, click Save or Save As, as relevant.

Important: If you change the configuration of a template, subscriptions to it are updated

with everything except changes to filters.

Note: If you make changes to a predefined template, you must click Save As to save it
under a new name.

Setting Template Filters

To set filters for your template:

1. In the Search pane, select the Filters tab and set filters as relevant. For complete instructions
on setting filters, see Advanced Searching.

DATADVANTAGE 6.3 USER GUIDE 309

Chapter 11     REPORTS VIEW

2. To export your filter definitions to an XML file for easy reuse, select Import/Export Filter >
Export to File and save the file.
3. To import your saved filter definitions, select Import/Export Filter > Import from File and
select the relevant file.
4. To save the filters as part of your template, click Save or Save As, as relevant.

Important: If you change the configuration of a template, subscriptions to that template

are updated with all changes except those made to filters.

Note: If you make changes to a predefined template, you must click Save As to save it
under a new name.

Setting Template Columns

To set columns for your template:

1. In the viewer, select the Columns tab.

2. From Available columns on the left, select the columns you want to add to the report and click
the right arrow to move your choices to Your selection on the right.
3. In the Your selection area, do the following as preferred:
• To group report results by a particular column, select the Grouped by check box for that
column.
• To reorder columns, select a column to move and use the up and down arrows to set its
position in the report.
4. Click Reset to restore the set of columns and groupings that were last saved with your
template.

Setting Chart Data for Metrics

Note: The following procedure applies to reports 14.c.01 and 14.h.01.

DATADVANTAGE 6.3 USER GUIDE 310

Chapter 11     REPORTS VIEW

To set chart data for your template:

1. In the viewer, select the Chart Data tab.

The Chart Data tab is displayed.

2. From the Available metrics on the left, select the metrics you want to add to the report and
click the right arrow to move your choices to Your selection on the right.
3. In the Your selection area, do the following as preferred:
• To change the line color for each metric, select the required color from the Color drop-
down list for that metric.
• To change the line type for each metric, select the required color from the Line Type drop-
down list for that metric. The following line types are available:
• Solid
• Dotted
• Dashed

Note: By default, the color and line type for each metric are automatically selected.

4. To view the data labels on the Y axis of the line chart, select the Show data labels on chart
check box on the top right of the Chart Data tab.
5. Click Reset to restore the set of metrics, colors and line types that were last saved with your
template.

Setting Chart Data for Business Units

Note: The following procedure applies to report 14.i.01 only.

To set chart data for your template:

1. In the viewer, select the Chart Data tab.

The Chart Data tab is displayed.

DATADVANTAGE 6.3 USER GUIDE 311

Chapter 11     REPORTS VIEW

2. From the Business units selection on the left, do one of the following:
• Select the Top business units for the selected trend option and set the number of business
units for display in the bar chart.

Note: If selected, the bar chart will display the selected number of business units
with the highest average metric values during the defined time period. An overview
of business unit metrics is displayed in the bar chart. This option does not display the
data according to the time period defined by the interval filter.

• Select the Manually select the business units option and do the following:
• Select the business units you want to add to the report and click the right arrow to
move your choices to Your selection on the right.
• To change the color for each business unit, select the required color from the Color
drop-down list for that business unit.

Note: This step is optional. By default, the color for each business unit is
automatically selected.

Note: The Manually select the business units option is selected by default.

3. To view the data labels on the Y axis of the bar chart, select the Show data labels on chart
check box on the top right of the Chart Data tab.
4. Click Reset to restore the set of business units and colors that were last saved with your
template.

Setting Display Options

To set display options for your template:

1. In the viewer, select the Display tab.

DATADVANTAGE 6.3 USER GUIDE 312

Chapter 11     REPORTS VIEW

2. In the General area, set the following:

• Template name - Enter a customized name for your template.
• Template owner - Click the Browse button to select an owner for the template. Only the
template owner and Enterprise Manager (if configured) can edit and delete this template,
or change the template owner.
• Description - Enter a free-text description for your template.
3. In the Page Layout area, set the following:
• Title - From the drop-down list, select the report element to be used for your template's
title. Options are:
• Report Name
• Template Name
• Subtitle - From the drop-down list, select the report element to be used for your template's
subtitle. Options are:
• None - Select if you do not want a subtitle.
• Report Name
• Template Name

Note: The Title and Subtitle options you set are also applied to your subscriptions for
this template.

• Look and feel - If you have prepared a customized look and feel, select it from the drop-
down list.
• Show in report - Select the report elements you want to show in your template:
• Description - Displays the template's description as part of the generated report
• Filter - Displays the filters you set as part of the generated report
• Logo - Displays the logo you choose (or the default Varonis logo) as part of the
generated report
• Results grouping - Select your preferences for grouping the results returned in the
generated report. Options are:
• Collapse groups
• Hide number of nested rows

DATADVANTAGE 6.3 USER GUIDE 313

Chapter 11     REPORTS VIEW

Setting Privacy Options

When you create or edit a template, you can select the users that can see it. Only users who have
permission can:

• See the template in the Reports List

• Select the template in the subscription window

The Privacy Settings tab is only visible to the template owner and the Enterprise Manager (if
configured).

To set privacy options for your template:

1. In the viewer, select the Privacy Settings tab.

2. From the drop-down list, select the users that can see the template. Options are:
• All users
• The template owner

Note:
• See Setting Display Options for instructions on setting the owner.
• Keep in mind the Enterprise Manager may be able to see all templates and
subscriptions, regardless of the setting you choose here. See the Management
Console User Guide for more information.

• The template owner and the following users/groups - If you select this option, click the
green plus sign to select the required users and groups.

Importing and Exporting Report Filters

If you have well-defined filters, you can export them to XML files for later use and import saved
files.

• To export a defined filter:

1. In the Search pane, click Import/Export Filter > Export to File.
2. Save the file as required.
• To import a saved filter:
1. In the Search pane, click Import/Export Filter > Import from File.
2. Select the required file. The file is loaded into the Search pane.

DATADVANTAGE 6.3 USER GUIDE 314

Chapter 11     REPORTS VIEW

Editing Report Templates

Only user-defined templates can be edited. Default templates provided with DatAdvantage cannot
be edited.
Subscriptions to templates are automatically updated when the templates are edited, with the
exception of changes to filters.

To edit a defined report template:

1. Expand the Reports List and select the customized report template you want to edit.
2. Edit the template as required.
3. Save the edited template.

Deleting Report Templates

Only user-defined templates can be deleted. Default templates provided with DatAdvantage
cannot be deleted.
If a template is deleted, any subscriptions defined for it are also deleted (a warning is provided).

To delete a customized report template:

1. Expand the Reports List and select the customized report template you want to edit.
2. Click Delete.
The template is deleted.

Working with Reports

Showing and Hiding the Report Search Pane

To hide the report search pane:

• In the Search pane, click Hide Search. The Search pane is hidden.

To show the report search pane when it is hidden:

• In the Search pane, click Show Search. The Search pane is displayed.

Switching Report Views

DatAdvantage provides two views in the Reports workspace:
• Help view - Provides instant access to the online help for the specific report you selected
• Table view - Provides an interactive view of the report data so that you can sort and group data
effectively, to gain a better understanding of the results before generating a formatted report

To switch report views:

• From the Help View (opened by default when you select a report), click the Table View button
. The Table View is displayed.

DATADVANTAGE 6.3 USER GUIDE 315

Chapter 11     REPORTS VIEW

•
From the Table View, click the Help View button . The Help View is displayed.

Previewing Reports
The report preview window displays the fully formatted report, not just the raw report data.

To preview reports:

1. Define the report criteria as required.

2. In either the Search pane or the Table View, click Preview.
• Button in the Search pane - All report results are included in the preview
• Button in the Table View - Only the selected results are included in the preview

The report preview is generated in a separate window.

DATADVANTAGE 6.3 USER GUIDE 316

Chapter 11     REPORTS VIEW

3. On the report toolbar, use the following buttons to perform various activities with the report:
•
- To navigate the report.
• - To stop rendering the generated report.
• - To refresh the generated report.
• - To print the report.
• - To set the print layout.
• - To determine the page setup for the printed report.
• - To save the generated report to Word, Excel or PowerPoint.
•
- To set the screen magnification.
•
- To find specific text in the generated report.
4. Once column order and grouping options are defined, you can expand or collapse rows in the
generated report as necessary:

Working with the Table View

To view search results in the Table View:

1. In the Search pane, click Run. The report results are displayed in the Table View.

DATADVANTAGE 6.3 USER GUIDE 317

Chapter 11     REPORTS VIEW

2. To quickly locate results containing a specific string:

a. Select a cell in the grid that contains the relevant string.
b. Right-click and select Copy from the context menu.
c. Paste the copied string into the search bar above the grid.
The report results are filtered to display only results containing that string.
3. To group report results:
a. In the Search pane, select Group by for the columns by which you want to group results.
The results in the Table View are grouped accordingly, and the headings of the grouped
columns are displayed in the grouping area above the results.
b. Alternatively, drag the relevant column heading in the Table View to the grouping area
above the results.
Report results are grouped accordingly, and the Group by option for that column is
selected in the Table View.
4. To clear groupings, do one of the following:
• Clear the Group by option in the Search pane.
• Drag the relevant heading from the grouping area back to the results.

The grouping is removed.

5. If you prefer, select specific rows for export or preview. Only the selected rows are included in
the exported report or the preview.
• You must use the Preview button in the Table View for this; the Preview button in the
Search pane generates a preview with all rows.
• By default, all rows are selected.
6. To view page breaks prior to printing, click Page Break.
The printable area is displayed below the report results, indicating which columns will be
printed on which page.

Exporting Reports
You can export reports to the following formats:
• CSV
• HTML

DATADVANTAGE 6.3 USER GUIDE 318

Chapter 11     REPORTS VIEW

• Excel
• PDF

To export report data:

1. Generate the report.
2. If you prefer, select specific rows for export in the Table View. Only the selected rows are
included in the exported report. (By default, all rows are selected.)
3. In either the Table View or the report preview, select the required format from the Export
drop-down list.
4. Save the exported report as required.

Subscribing to Reports
BEST PRACTICE

For performance reasons, Varonis highly recommends you subscribe to reports so that you can
receive them regularly by email, instead of generating them directly in the Viewer.

To subscribe to a report:

1. In the Reports List or the Viewer, click the Subscription button. The Subscription dialog box
is displayed.

2. In the General area, set the following parameters:

• Name - Type a name for the subscription.
• Description - Type a free-text description of the subscription.
3. Set the remaining subscription parameters for each tab as necessary.
4. To run the report subscription immediately, select Run immediately.

DATADVANTAGE 6.3 USER GUIDE 319

Chapter 11     REPORTS VIEW

Delivery Parameters Tab

The contents of the Delivery Parameters tab are determined by the option selected in the
Delivered By parameter:
• Report Server Email - Simply send the report by email.
• Report Server Email (Data-Driven) - Select to filter the report contents according to the
recipient's owned objects, and send it by email.
• Report Server File Share - Save the output report to file.
• Report Server File Share (Data-Driven) - Save the report subscription to a file system share
according to the specified recipients' owned objects. With this option, a folder is created in the
destination folder for each recipient and a copy of the report that contains only information
relevant to that recipient is placed in the folder.

Sending Reports by Email

The Report Server - Email option enables you to send a report subscription to designated
recipients.

To send a report by email:

1. From the Delivered by drop-down list, select Report Server Email.

2. Select the Always send this report, even if empty option as required.
3. Set the following parameters:
• To - Type the addresses of the recipients of the report (separated by a semi-colon).
• CC - Type the addresses of users to receive copies of the report (separated by a semi-
colon).
• BCC - Type the addresses of users to receive blind copies of the report (separated by a
semi-colon).
• Reply - Type the address of the user sending the report.
• Subject - Type the subject line of the report.
• Display report data in the subject field - Select to display the template name and creation
date as a prefix to the subject. If the subject field is otherwise empty, the report data is
displayed as the subject.
• Include report - Select to include the actual report in the email.
• Format - From the drop-down list, select the format in which the report is to be delivered
(only if you chose to include the report with the email).
• Acrobat (PDF) file
• CSV (comma-delimited) file
• Excel (xls)
• Excel (xlsx)
• TIFF file
• Web archive
• XML
• Include link - Select to include a link to the report's location on the IDU server.

DATADVANTAGE 6.3 USER GUIDE 320

Chapter 11     REPORTS VIEW

Note: The Include link option may be hidden by configuration.

• Priority - From the drop-down list, select the relevant delivery priority.
• Comment - Type a free-text comment in the field as necessary.
4. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

Sending Data-Driven Reports by Email to Selected Recipients

The Report Server Email (Data-Driven) option enables you to filter report contents according to the
recipient's owned objects.

For several reports, you can define subscriptions that include the data of both data owners
and their subordinates. This hierarchical subscription means managers can view information
regarding all the data for which they are ultimately responsible, without the need to be data
owners themselves.

To send the report only to selected owners (both users or groups - if the latter, first-level members
will receive the email):

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server Email (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose Selected Recipients.

DATADVANTAGE 6.3 USER GUIDE 321

Chapter 11     REPORTS VIEW

The Recipients box is displayed, providing the following information:

• Owner Name - The name of the data or group owner that is selected to receive the report.
• Ownership Types - The types of entities for which the owner is responsible.
• Include Subordinates Data - Select to include the data owned by all the owner's
subordinates in the report. (This option is only visible in reports supporting hierarchical
subscriptions.)
4. Next to the Recipients box, click Add.
The Directory Services Search dialog box is displayed.
5. Clear the Show only data owners option (which is selected by default) to restrict the search
results to only data owners, and exclude their managers (who may not own data).

Note: This option is only visible in reports supporting hierarchical subscriptions.

6. Add recipients as necessary. Select users and/or groups that are defined as resource/domain
custodians.
7. Set the required email settings:
• Subject - Type the subject line of the report.
• Display report data in the subject field - Select to display the template name and creation
date as a prefix to the subject. If the subject field is otherwise empty, the report data is
displayed as the subject.
• Include report - Select to include the actual report in the email.
• Format - From the drop-down list, select the format in which the report is to be delivered
(only if you chose to include the report with the email).
• Acrobat (PDF) file
• CSV (comma-delimited) file
• Excel (xls)
• Excel (xlsx)
• TIFF file
• Web archive
• XML
• Include link - Select to include a link to the report's location on the IDU server.

Note: The Include link option may be hidden by configuration.

• Priority - From the drop-down list, select the relevant delivery priority.
• Comment - Type a free-text comment in the field as necessary.
8. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 322

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports by Email to Recipients Selected by Rules

The Report Server Email (Data-Driven) option enables you to filter report contents according to the
recipient's owned objects.

To select report recipients according to a rule you define:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

>

1. From the Delivered by drop-down list, select Report Server Email (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose Recipients by rule.
4. From the AD Property dialog box, select the property by which the recipients are identified:
• Display Name
• SAM Account Name
• Email
5. In the Equals field, enter the actual recipients. Use a semicolon (;) to separate values.

DATADVANTAGE 6.3 USER GUIDE 323

Chapter 11     REPORTS VIEW

6. Set the required email settings:

• Subject - Type the subject line of the report.
• Display report data in the subject field - Select to display the template name and creation
date as a prefix to the subject. If the subject field is otherwise empty, the report data is
displayed as the subject.
• Include report - Select to include the actual report in the email.
• Format - From the drop-down list, select the format in which the report is to be delivered
(only if you chose to include the report with the email).
• Acrobat (PDF) file
• CSV (comma-delimited) file
• Excel (xls)
• Excel (xlsx)
• TIFF file
• Web archive
• XML
• Include link - Select to include a link to the report's location on the IDU server.

Note: The Include link option may be hidden by configuration.

• Priority - From the drop-down list, select the relevant delivery priority.
• Comment - Type a free-text comment in the field as necessary.
7. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 324

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports by Email to All Owners

The Report Server Email (Data-Driven) option enables you to filter report contents according to the
recipient's owned objects.

To send a data-driven report by email to all entity owners:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server Email (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose All owners. Each owner will receive a portion of the report that corresponds to his
managed objects.
4. Set the required email settings:
• Subject - Type the subject line of the report.
• Display report data in the subject field - Select to display the template name and creation
date as a prefix to the subject. If the subject field is otherwise empty, the report data is
displayed as the subject.
• Include report - Select to include the actual report in the email.
• Format - From the drop-down list, select the format in which the report is to be delivered
(only if you chose to include the report with the email).
• Acrobat (PDF) file
• CSV (comma-delimited) file
• Excel (xls)
• Excel (xlsx)
• TIFF file
• Web archive
• XML
• Include link - Select to include a link to the report's location on the IDU server.

Note: The Include link option may be hidden by configuration.

• Priority - From the drop-down list, select the relevant delivery priority.
• Comment - Type a free-text comment in the field as necessary.
5. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 325

Chapter 11     REPORTS VIEW

About Data-Driven Reports for File Shares

The Report Server File Share (Data-Driven) option enables you to send a report subscription to a
file system share according to the specified recipients' owned objects. With this option, a folder
is created in the destination folder for each recipient and a copy of the report that contains only
information relevant to that recipient is placed in the folder.

The folders are named according to the SAM account to ensure their uniqueness. They are
granted Read permissions for the relevant owner, and inherit permissions from the selected
destination folder. Each time the subscription is run, a new copy of the report is generated with a
name that includes the date on which it was generated.

Sending Reports to File Shares

The Report Server File Share option enables you to send a report subscription to a file system
share.

To send a report to a file share:

1. From the Delivered by drop-down list, select Report Server File Share.
2. Select the Always send this report, even if empty option as required.
3. Set the following parameters:
• File Name - Type the name of the file containing the report.
• Add a file extension when the file is created - Select this option to determine the type of
file in which the report is saved.

DATADVANTAGE 6.3 USER GUIDE 326

Chapter 11     REPORTS VIEW

• Path - Click the Browse button to select the path on which the report resides.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 -
For all subscriptions, two files are created:
• One small file in the specified render format, containing a 10-row random sampling
of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix of
_full.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0
• If the report results exceed the maximum number of rows (configured in the
Management Console):
• A small file is created in the specified render format, containing a 10-row random
sampling of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix
of _full.
• If the report results do not exceed the maximum number of rows, only a single file
is created and saved to the share path, containing the complete report results. This
file is in the specified render format.
• Render Format - From the drop-down list, select the format in which the report is to be
delivered. Options are:
• Credentials used to access the file share - Enter the user name and password required to
access the file share on which the report resides.
• Overwrite options - Select the relevant option:
• Overwrite an existing file with a newer version
• Do not overwrite the file if a previous version exists
• Increment file names as newer versions are added (according to the default SQL
reporting naming conventions)
4. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 327

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports to File Shares for Selected Recipients

The Report Server File Share (Data-Driven) option enables you to filter report contents according
to the recipient's owned objects.

For several reports, you can define subscriptions that include the data of both data owners
and their subordinates. This hierarchical subscription means managers can view information
regarding all the data for which they are ultimately responsible, without the need to be data
owners themselves.

To send a data-driven report to a file share for selected recipients:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server File Share (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose Selected recipients.
The Recipients box is displayed, providing the following information:
• Owner Name - The name of the data or group owner that is selected to receive the report.
• Ownership Types - The types of entities for which the owner is responsible.
• Include Subordinates Data - Select to include the data owned by all the owner's
subordinates in the report. (This option is only visible in reports supporting hierarchical
subscriptions.)
4. Next to the Recipients box, click Add.

DATADVANTAGE 6.3 USER GUIDE 328

Chapter 11     REPORTS VIEW

The Directory Services Search dialog box is displayed.

5. Clear the Show only data owners option (which is selected by default) to restrict the search
results to only data owners, and exclude their managers (who may not own data).

Note: This option is only visible in reports supporting hierarchical subscriptions.

6. Add recipients as necessary.

7. Set the following parameters:
• File Name - Type the name of the file containing the report.
• Path - Click the Browse button to select the path on which the report resides. Within this
path, a folder is created for each specified recipient. A copy of the report that contains
only information relevant to that recipient is placed in the folder.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 -
For all subscriptions, two files are created:
• One small file in the specified render format, containing a 10-row random sampling
of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix of
_full.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0
• If the report results exceed the maximum number of rows (configured in the
Management Console):
• A small file is created in the specified render format, containing a 10-row random
sampling of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix
of _full.
• If the report results do not exceed the maximum number of rows, only a single file
is created and saved to the share path, containing the complete report results. This
file is in the specified render format.
• Render Format - From the drop-down list, select the format in which the report is to be
delivered. Options are:
• Credentials used to access the file share - Enter the user name and password required to
access the file share on which the report resides.
8. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 329

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports to File Shares for Recipients Selected by Rules

To send a data-driven report to a file share for recipients selected by rules:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server File Share (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose Recipients by rule.
4. Set the following parameters:
• AD Property - From the drop-down list, select the property by which the recipients are
identified:
• Display Name
• SAM Account Name
• Email
• Equals - Enter the actual recipients in this field.. Use a semicolon (;) to separate values.
• File Name - Type the name of the file containing the report.
• Add a file extension when the file is created - Select this option to determine the type of
file in which the report is saved.
• Add timestamp (date and time) to the file name - Select this option to add the date and
time at which the report was generated to the file name.

DATADVANTAGE 6.3 USER GUIDE 330

Chapter 11     REPORTS VIEW

• Path - Click the Browse button to select the path on which the report resides. Within this
path, a folder is created for each specified recipient. A copy of the report that contains
only information relevant to that recipient is placed in the folder.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 -
For all subscriptions, two files are created:
• One small file in the specified render format, containing a 10-row random sampling
of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix of
_full.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0
• If the report results exceed the maximum number of rows (configured in the
Management Console):
• A small file is created in the specified render format, containing a 10-row random
sampling of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix
of _full.
• If the report results do not exceed the maximum number of rows, only a single file
is created and saved to the share path, containing the complete report results. This
file is in the specified render format.
• Render Format - From the drop-down list, select the format in which the report is to be
delivered. Options are:
• Credentials used to access the file share - Enter the user name and password required to
access the file share on which the report resides.
5. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 331

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports to File Shares for All Owners

Selecting All owners automatically sends subscriptions to all the owners defined in DatAdvantage.
Owners receive only the relevant sections of the report, based on their managed objects.

To send a data-driven report to a file share for all owners:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server File Share (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Choose All owners.
4. Set the following parameters:
• File Name - Type the name of the file containing the report.
• Add a file extension when the file is created - Select this option to determine the type of
file in which the report is saved.
• Add timestamp (date and time) to the file name - Select this option to add the date and
time at which the report was generated to the file name.
• Path - Click the Browse button to select the path on which the report resides. Within this
path, a folder is created for each specified recipient. A copy of the report that contains
only information relevant to that recipient is placed in the folder.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 -
For all subscriptions, two files are created:
• One small file in the specified render format, containing a 10-row random sampling
of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix of
_full.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0
• If the report results exceed the maximum number of rows (configured in the
Management Console):
• A small file is created in the specified render format, containing a 10-row random
sampling of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix
of _full.
• If the report results do not exceed the maximum number of rows, only a single file
is created and saved to the share path, containing the complete report results. This
file is in the specified render format.
• Render Format - From the drop-down list, select the format in which the report is to be
delivered. Options are:
• Credentials used to access the file share - Enter the user name and password required to
access the file share on which the report resides.
5. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 332

Chapter 11     REPORTS VIEW

Sending Data-Driven Reports to File Shares for Owners with Limited Visibility

Due to security constraints, some owners may not be allowed to view the entire file system.
Owners with such limited visibility can only create file system subscriptions for their personal use.
They can also send data-driven subscriptions by email to other owners.

To create a data-driven report on a file share as a limited owner:

Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do
not provide activity information to group owners or domain custodians option is selected on
the DatAdvantage Security page of the Management Console.

1. From the Delivered by drop-down list, select Report Server File Share (Data-Driven).
2. Select the Always send this report, even if empty option as required.
3. Set the following parameters:
• File Name - Type the name of the file containing the report.
• Add a file extension when the file is created - Select this option to determine the type of
file in which the report is saved.
• Add timestamp (date and time) to the file name - Select this option to add the date and
time at which the report was generated to the file name.

DATADVANTAGE 6.3 USER GUIDE 333

Chapter 11     REPORTS VIEW

• Path - Click the Browse button to select the path on which the report resides. Within this
path, a folder is created for each specified recipient. A copy of the report that contains
only information relevant to that recipient is placed in the folder.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 -
For all subscriptions, two files are created:
• One small file in the specified render format, containing a 10-row random sampling
of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix of
_full.
• If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0
• If the report results exceed the maximum number of rows (configured in the
Management Console):
• A small file is created in the specified render format, containing a 10-row random
sampling of the report results. It is named as specified in the subscription.
• A CSV file is created, containing the entire report output. The full file has a suffix
of _full.
• If the report results do not exceed the maximum number of rows, only a single file
is created and saved to the share path, containing the complete report results. This
file is in the specified render format.
• Render Format - From the drop-down list, select the format in which the report is to be
delivered. Options are:
• Credentials used to access the file share - Enter the user name and password required to
access the file share on which the report resides.
4. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 334

Chapter 11     REPORTS VIEW

Filter Configuration Tab

1. On the Filter Configuration tab, configure the filters you require for the report subscription.
Note that you can set filters for Active Directory properties that have been defined in the
system. For complete instructions on setting filters, see Advanced Searching.
2. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

Scheduler Tab

1. On the Scheduler tab, set the following parameters:

• Time Interval - From the drop-down list, select the interval at which the report is to be sent.
This selection determines the content of the following area.
• Schedule - In this area, configure the frequency at which the report is sent.
• Start Time - Use the arrows to select the time at which the report is sent.
• Start Date - From the drop-down list, select the date on which delivery of the report is to
begin.
• Stop this schedule on - Select this option to set an ending date for delivery of the report.
• End Date - From the drop-down list, select the date on which delivery of the report is to
end.
2. Click OK to close the subscription form, or click another tab to continue defining the
subscription.

DATADVANTAGE 6.3 USER GUIDE 335

Chapter 11     REPORTS VIEW

Managing Your Subscriptions

The My Subscriptions pane provides the following information about your subscriptions:
• Type - Indicates whether the subscription is regular or data-driven (that is, reflects the
recipient's owned objects
• Name - The name you gave the subscription
• Scheduler - The schedule by which the subscription is generated and delivered
• Subscription Owner - The person who defined the subscription (for enterprise managers only,
who can see all the subscriptions in the system)
• Description - The free-text description of the subscription
• Last Run - The time at which the subscription was last generated
• Status - The status of the subscription's last run

To manage your report subscriptions:

1. In the Reports view, select the My Subscriptions pane. Your subscriptions are displayed in
table form, one row per subscription (if you are an enterprise manager, the table displays all
the subscriptions that have been defined in the system).

DATADVANTAGE 6.3 USER GUIDE 336

Chapter 11     REPORTS VIEW

2. To add or edit a subscription:

a. Click Add or Edit, as required.
b. Define the subscription as necessary.
3. To remove a subscription, select its row and click Remove.
4. To view execution history, select the relevant row and click Execution History.
• For data-driven reports, this button enables viewing historical data per run time for the
subscription, including an indication of whether each recipient read the report.
• The number of executions can be set per owner.
• Older executions are deleted from the history.

DATADVANTAGE 6.3 USER GUIDE 337