|
What is Permission Analyzer?
Permission Analyzer reports NTFS permissions from the file system combined with user and group data from the Active Directory. All data is stored in a local or remote database and can be utilized to create overviews of permissions based on many filter criteria. You will be able to monitor permissions for entire user groups and receive notifications if undesired permissions are found within your network.
Specialized in Data Access Governance
Find out what NTFS permissions are currently in your network. Create filters and utilize the embedded or remote database for quick overviews. Use different views to zoom in on the results and to trace permissions for a particular user.
Filter for user segments
Define segments for your users by adding filters for AD group, LDAP OU or a custom set of users or groups and save them as Selection. Use your selections in reports and policies to check for unwanted permissions, including the nested group memberships of every member in your selection!
Validate your security design
Save your filters as policies and receive e-mail notifications if your policy report contains unwanted permissions. Schedule these policies and validate your security rules, instead of getting notified by every change in your network!
Main Features
Scanning the NTFS file systems and Active Directory
Configure the directories, network shares or just a server name and the LDAP Organizational Units to scan. All directory information and group memberships from Active Directory are saved in a local database file. Run the scan whenever you like or schedule an automated scan. Permission Analyzer supports an external database, allowing multiple workstations to share the same information source.
Viewing server permissions and applying filters
All information is saved in a database, allowing you to conduct targeted search queries in seconds, instead of scanning the whole network every time you want to apply a new filter. Add filters for specific members, all members of a group or LDAP OU, permissions or folders. Save your filters as selection and use them to find unwanted permissions for a whole group of employees in one overview! Permission Analyzer includes the nested group memberships of every member in your selection.
Tracing user and group permissions
The main overview provides an aggregated summary of all server permissions found and may contain the permissions of multiple users or groups. The application offers different views on the search results, like the effective permissions per user/group, the plain ACL information like Windows Explorer, the origin of permissions for a specific user or group (via which group membership or parent folder they have been inherited), and a view of all the matching users/groups that have been found including their (possible unwanted) permissions. Use these views to zoom in on your search results.
Auditing server permissions
Open the audit dashboard to view statistics about the permissions found in the network. The dashboard contains charts for three different categories, 'Users and groups', 'Permissions' and 'Folder and files'. They show usefull information like a top 25 of users with the most explicit permissions or the balance between different permissions in the network.
Creating HTML and CSV exports and security audit policies
Save your filters as report and export them to HTML or CSV and e-mail. Use Permission Analyzer to run reports automatically using command-line parameters. Save your filters as audit policies and receive e-mail notifications if your policy report contains unwanted permissions.
Modifying server permissions
Quickly modify server permissions from within the application. At the bottom of the search result screen is a tab that allows you to review and modify the Access Control List (ACL) of the selected directory or file. The ACL view corresponds to the Security tab in Windows' file properties. You will be able to only show Access Control Entries (ACE) that meet the filter criteria by ticking the checkbox 'Apply filter on ACL list'. The ACL view toolbar contains a button to directly modify the selected ACE on the file system. Permission Analyzer uses the same Windows mechanisms as the Security tab. When modifying permission through Permission Analyzer, information in the database is updated immediately.
Inspecting nested group memberships
You will be able to request the details of a member or group at various points throughout the application: in the ACL view, Trace view, Member filters or search window for member selection. The member dialogue window shows both memberOf data as well as the members in the case of a group. In both cases nested memberships will also be shown.
Thid-party integrations
Permission Analyzer comes with an embedded H2 database, but you can choose to use a central database to share scanned information, filters and reports between installations of Permission Analyzer or to run your own queries on the database. Permission Analyzer supports Oracle, DB2, MS SQL, MySQL, PostgreSQL, Derby and H2 out of the box.
PowerShell is a native Microsoft scripting solution, which allows you to scan the ACL's of directories and files. Permission Analyzer can import the export result of a PowerShell script into the database.
Licensing model
Permission Analyzer's licensing model operates on an installation basis and consists of a number of editions based on company size, varying in the features they offer. Each installation of Permission Analyzer will require a separate license. The number of users and groups per edition will constitute the maximum number to be scanned by Permission Analyzer. These numbers are the sum of the unique members found in the Access Control Lists on the file system and the LDAP Organizational Units you select to determine (nested) group membership. This does not necessarily have to encompass the entire domain, but can be limited to certain OUs. Only those members and groups will then be available to the application, supplemented by the members attributed to a directory directly.
Licenses will be valid for 1 year and automatically entitle the purchaser to tech support and updates. The Licensing model is a subscription-based, not a perpetual license. A license can be moved three times by deactivating an active license and reactivating it on a new device. The Consultant edition is intended to allow use of Permission Analyzer at a variety of clients within a short period of time. In that case, one license can be used on several devices, though never at the same time. This may be useful for security audits where a consultant will install Permission Analyzer within a client's domain and deactivate the license after completing the assignment.
Permission Analyzer's trial version is limited to 2 root directories (unlimited depth of sub directories), 3 member filters and the export to HTML/CSV is limited to a depth of 3 sub directories.
Comparison
Basic |
Standard |
Enterprise |
Consultant |
Scan Agent (5) |
Unlimited directories |
Unlimited directories |
Unlimited directories |
Unlimited directories |
Unlimited directories |
1 file server (1) |
5 file servers (1) |
Unlimited file servers |
Unlimited file servers |
1 file server |
Scan 500 AD users |
Scan 3000 AD users |
Scan unlimited users |
Scan unlimited users |
Scan unlimited users |
Scan 100 AD groups |
Scan 1000 AD groups |
Scan unlimited groups |
Scan unlimited groups |
Scan unlimited groups |
- |
Database encryption (2) |
Database encryption (2) |
Database encryption (2) |
Database encryption (2) |
- |
- |
External DB support (3) |
External DB support (3) |
External DB support (3) |
3 license moves (4) |
3 license moves (4) |
3 license moves (4) |
200 license moves (4) |
3 license moves (4) |
(1) The number of servers that are scanned on directories, files and local groups. This does not relate to the number of domain controllers.
(2) Encryption is only supported for the local H2 databases supplied with the edition. Please consult the product documentation for information on encryption of other (external) databases.
(3) You will be able to use any database with a JDBC interface. Permission Analyzer automatically supports Oracle, DB2, MS SQL, MySQL, PostgreSQL, Derby and H2. Also see Externe Database.
(4) A license can be deactivated within the application and can subsequently be reactivated on another device. You will be able to carry this out 3 times. The Consultant Edition can be moved 200 times and can also be used to have a temporarily license operate for multiple clients. A license must always be deactivated first before a new activation can be initiated.
(5) A Scan Agent can be used to scan your file server(s) locally and to store the results in a central database. Note that a Scan Agent has no Report View, it can only be used to scan the file system and works together with one of the other editions.
| 
