Description

How to track Permission Changes to a share or path in DataInsight

Issue

Permission change events are tied to _DI_PERMCHG_DUMMY_USER_ and do not show a real user

WorkAround

In order to know which user may have done the permission changes, do the following :

Open DI Console > Workspace Tab > Select Data > Select the path for which the permission change event has occurred

Move to the Audit Logs tab > Filter with only "Permission Change" and "Security" audit events.

Then look for Security events around the Permission change event. The user with a security event just before the permission change event is most probably the one who has made the change.

For instance : In the example below, "Test Admin" is the user who may have changed the permissions on the dept folder.

NOTE : There could be more than one user with security events before the permission change event. In this case all of those users may have done permission changes. But the effective permissions on the share or path would be from the user who changed it last.

Reason

The reason DataInsight does it this way is because the storage systems do not provide us all information in one single security event. For example, DataInsight gets a security event that contains the following information :

WHO did the permission change
WHEN he/she did it
WHICH folder was affected

We do not get information on WHAT changed in the permissions from the above security event.

This information is gleaned separately by our scanner which scans those affected folders and brings back new permissions. It then creates a diff with the current permission set and stores information about "what" has changed from the last scan.

Now note that while it is doing this ( i.e. in between two scans ) some other person may go in and change the permissions again before DataInsight gets to scan it. Also note that there could be multiple users doing permission changes on the same path in between two successive scans.

This is the reason we say DataInsight can tell you who may have done permission changes. DataInsight can't tie the difference in permission to a single security event (and in turn to a user). 

This is the reason, DI shows user as _DI_PERMCHG_DUMMY_USER_

Note:  There is a way to determine what information triggered the PERMCHG Event.  Simply click the little icon under the "Other Info" Figure1 column and a pop-up window will display the "Permissions Change Details" Figure2.  The Audit log can also be exported to a .csv file and view via a Text Editor such as Notepad Figure3.

Figure1

Figure2

Figure3