Impersonation

Owned by Andrea Harvey
Last updated: Jun 23, 2022
3 min read

Impersonation allows a site admin access to all the folders on the platform, including those that belong to other users.  A connection can be created using the username and password of the site admin. This then allows a data source to be created to access a different user’s account without ever having the username or password of that user. This is done by enabling the Run as user option when creating a data source to assign to a policy. When enabled, the Choose a user list displays all the available accounts on the connection available for impersonation. Simply select the account you want to impersonate.

Impersonating Read-Only or Disabled User

When you select to use impersonation when setting up a data source, you can select from any user that displays in the list; however, selecting a read-only or disabled user may cause your scan not to perform as expected.

In this situation, you have several options:

  • Select a different user: Depending on what you need the scan to do, you may need to select a different user. Read-only access is sufficient for scanning and classifying content, but most actions will fail for read-only users. While Approval, Email, and Remediate actions will work for a read-only user, all other actions (Apply Metadata, Delete, MIP Label, Modify Permissions, Move, Remove Permissions, or Remove Shared Links) will fail since they require edit rights. For some platforms, you can’t create a data source using a disabled user because access to the account and content is restricted.

  • Update the user within the platform: Someone may be able to log into the platform and update the user.

  • Continue with the selected user: The scan may perform properly with the selected user. You can attempt to continue with the selected user.

Note that different platforms treat read-only and disabled users differently. As noted above, read-only access is sufficient for scanning and classifying content, but if a policy uses an action that requires editing content (Apply Metadata, Delete, MIP Label, Modify Permissions, Move, Remove Permissions, or Remove Shared Links), the action will fail since a read-only user account doesn’t have sufficient access to complete the action.

Below is an example of scan results for a Box data source set up to impersonate a read-only user. The policy contains a tracking group that uses the Move action when content is classified as part of this tracking group. Note that the scan succeeded and that a tracking group was successfully assigned. However, the action failed since the account doesn't have sufficient access to move content as required by the action set for the tracking group.

 

Some platforms won’t allow you to impersonate disabled users. On Box, for example, you can’t create a data source for a disabled user because the user’s directories will not load in the location picker since access to the account is restricted.

 

DryvIQ Govern Version: 5.9.2
Release Date: December 17, 2024