Before data owners can begin managing permissions to their data via HelloID, you must first create a Data Share Configuration and assign them as managers. The following article will guide you through doing this, using a shared folder for the accounting department as an example.
For instructions on how data owners interact with the Data Share module, see the end user guide.
Create a Data Share Configuration
You can create different data share configurations and configure different user rights per configuration.
On the Data Share overview, click Create DataShare Configuration to get started. This will bring up the DataShare Configuration wizard.
On the General tab, you are presented with several fields. Fill them out appropriately, and click Next.
The display name of the data share configuration, shown in the Data Share overview.
The description of the data share configuration, shown in the Data Share overview.
- Agent Pool
The Agent Pool responsible for file system operations in the designated file share.
Note: The HelloID Agents in this pool must be able to create folders and modify permissions inside of the designated file share. Depending on your choices later on in the wizard, they may also need permissions to create and modify groups in Active Directory. Learn more about HelloID Agents here.
The specific HelloID users who will manage the data share via the HelloID End User Dashboard.
On the Directories tab, you may specify one or more directories that will be included in this Data Share Configuration. These directories will be displayed by their alias to the managers of this data share (specified in the General tab).
Note: Although local paths are acceptable, it is best practice to specify a UNC path to a file share. If you have specified an Agent Pool that contains multiple agents, not all agents will have access to the same local path, which will result in unexpected behavior.
- Specify the UNC path to the desired shared folder.
- Specify an alias that will be displayed to end users.
- Click the Add Folder button.
- Repeat steps 1-3 as necessary.
The Options tab allows you to modify the default behavior of the Data Share Configuration.
- Allow manage permission on base directory
Enabling this option allows data share manager to add and remove permissions on the top-level directory of the specified file share.
- Allow user reports
Enabling this option will send a user report to the email address specified in this next option.
- Report receiver email address
This is the email address to which reports regarding incorrect users rights are sent.
- Max depth
This option regulates the number of folder levels that the data owner may manage. A level of "1" allows the data owner to create and manage directories underneath the base directory only.
- Allow block inheritance
Enabling this option will block permission inheritance on all folders that data owners create underneath the base directory. Each created folder will have its own unique access control list.
- Default right to parents
When this option is enabled, any sub folders that a data owner creates will cause HelloID to add a default permission to the parent. For example, you may want to automatically add "Read" permissions to the parent folder whenever someone is granted permissions on a child folder. You may specify the exact permissions by clicking on the Set Permissions button that appears.
- Allow mark for archive
Enabling this option will allow data owners to mark a folder for archiving. Marking a folder for archiving will result in creating a new group with the specified permissions, and all accounts that had access will be placed in the archive group. Enabling this option will also add the Convention and Archive tabs to the wizard. To use this feature, you must enable Allow block inheritance.
The Rights tab allows you to specify one or more rights that data owners are able to grant to end users. For example, you may add rights for "Read Only" and "Write" that data owners are able to hand out as necessary.
Click the Add Right button to get started. A new section appears for the creation of a new right.
The Settings section allows you to define the name of the new right, along with whether or not a new Active Directory group will be created to handle the assignment of the right.
The name of the right that you are creating. E.g., "Read" or "Write". Limited to 10 characters.
- Create group if not exists
Enable this option to have HelloID create the permission group in Active Directory if it does not already exist. The group will be created when a user is added to the permission. Enabling this option will add the Convention tab to the wizard.
Set the appropriate group permissions (e.g., Read and Execute) by clicking the Set Permissions button.
This option is only shown if you choose to have HelloID create a permission group. By default, he abbreviation value will be appended to the group's name in Active Directory for the purpose of identification. Its usage may be configured in the Convention tab.
The Detection Method of a right tells HelloID how to identify a permission group for a particular right. This allows HelloID to add and remove users from the correct permission group, as well as display its current right members to the data owner. Multiple detection methods may be used for a single right.
Detection methods contain a regular expression and a set of permissions. In order to be detected, a group's name in Active Directory must match the regular expression, and it must also be assigned the defined permissions on one or more of the shared folders specified in the Directories tab.
Click Add rule to get started.
- Regular Expression
The supplied regular expression evaluates groups in the access control list (ACL) by their name. For example, entering the word "test" will look for all groups in the ACL whose name contains the word "test".
Note: Regular expressions (RegEx) can be a very valuable and very flexible tool. Documentation of regular expression is a vast subject and is beyond the scope of this website. For more information, we recommend looking at RegEx.info.
Click Set permissions to define the permission levels that HelloID looks for on the shared folders defined in the Directories tab. For example, a read-only group may have the "Read and Execute" permission.
Click Validate to check whether your rule is detecting the correct permission group. In the example below, we look for a group that starts with the word "HelloID_" and ends with "_R", and also has the "Read and Execute" permission. HelloID then looks at the target file share to find a matching group.
In this case, HelloID found a group that we manually created and assigned to the Accounting folder. Now, when the data owner assigns this right, target users will be added to this group.
Add as many rights as you desire, and click Next to continue.
The Convention tab allows you to specify where and how new permission groups are created in Active Directory. On this tab, you are presented with the following fields:
- Group OU
Select which Organizational Unit in Active Directory will house the newly-created permission groups for this Data Share Configuration.
- Group Prefix
Specify the string that will prefix all permission group names.
- Autoincrement duplicates
Enabling this option will cause HelloID to put a unique number at the end of any new group names that conflict with permission groups that already exist in Active Directory.
Specify the naming convention for new permission group names. You may add, remove, and rearrange the variables that make up the naming convention. You may also add static text.
The Archive tab is very similar to the Rights tab. Here, you specify the name and abbreviation of the archive permission (e.g., "Archive"), as well as the detection method that HelloID will use to find and assign the group's memberships.
When you are finished, click Save to create your new Data Share Configuration.