Filters and overviews
Following the network scan, the database may be used to carry out search queries. Permission Analyzer offers an extensive set of filters for you to obtain specific information. The search results are represented in the tree structure or table of directories and files. An aggregated list of privileges is shown for each of the directories or files, as the search result(s) may contain privileges of multiple users or groups. You will be able to zoom in on the aggregated privileges using the Trace options at the bottom of the result window. The filters are divided into three categories, namely Members, Permissions and Folders. Each category can be found as a tab on the left of the outline.
Filter for users and groups
The simplest filter displays the permission privileges for a specific group or user (hereafter to be referred to as member). The filter takes into account the nested group membership of the selected member.
It is possible to select a group from which all members are included or excluded in the overview. Simply add a specific group or LDAP OU in the All members from group or OU section. This will allow you to monitor whether someone from a specific group has too many permission privileges in certain folders.
In addition to including members in searches, you are also able to exclude one or more members from searches, e.g. by excluding everyone from the Domain Admins group.
Filter for permission privileges
All permission privileges are automatically shown for each search. However, a filter can be created to include or exclude certain privileges from a search. The filter overview distinguishes between Windows simple permissions, special permissions or permissions that allow or deny something.
When filtering permission privileges you can indicate whether a member should have all privileges or at least one of those you have selected. The former can be used to filter for members with specific permissions (such as FULL), while the latter can be used to display a series of permissions.
If necessary, configure the filter to only display explicit permissions.
Filter for directories and files
Search results can be scoped to exclude certain directories or files. Adding a directory will automatically include all subdirectories and files. You will also be able to search for the name of a file or directory using a wildcard.
Tip: To retrieve a directory or file in the main window, use the Quick File Search box.
A set of filters can be saved as a Selection, making a large number of frequently used filters easily retrievable and usable. A selection will bundle filters of the same type (members, permissions or folders). The total number of filters for an overview can be saved as a Report. Filters can be modified by clicking Run and can be reset by clicking Reset in the toolbar.
Overview of permissions
After applying the filters, all retrieved permissions will be shown in a tree structure, grouped in directories and files. The toolbar also contains an option to have results displayed in a table rather than a tree structure. Each item will contain a label with the relevant permission and a number of columns showing which special permissions apply e.g. permissions of various members, as each row is a sum of all retrieved permissions. The background color of the permissions indicates whether a permission was granted directly or if it was inherited from a folder above: white for implicit ‘allow’ permissions, green for explicit ‘allow’ permissions, light red for implicit ‘deny’ permissions and dark red for explicit ‘deny’ permissions.
Tip: Each directory within the search results can be exported to an HTML report or CSV file by opening the context menu with the right mouse button. Directories can also be opened directly with Windows Explorer.
There are four tabs at the bottom of the search result screen: one which allows you to zoom in on a directory to review which permissions and members have been found including their effective and inherited permissions, one that provides details on the Access Control List of the directory selected, one that shows the provenance of permissions for a particular member and another tab which allows you to retrieve all users and groups from the overview including all their explicit permissions. For more details see the Modifying permissions and Tracing permissions features.
Tip: drag tabs to a second screen or to another location within the application to view both tabs simultaneously.
The folder tree should make it clear at a glance where the unwanted rights are and what rights are granted explicitly. The tree shows all rights per directory, initially this will mainly be FULL rights of the Administrators, but as more filters are applied, the tree will show the purposeful rights. The icon for the directory indicates which access right it involves. The icons to the right of the directories indicate which special rights apply to the directory (a summation of all Access Control Entries on the directory that match the filter criteria). The background color indicates whether these special rights are inherited from a parent folder (white background), or directly assigned to the directory (green background). A red background indicates a ‘Deny’ right.
Press the green info icon in the toolbar to quickly get an overview of icons: