Permission Analyzer has two key functionalities: network scanning and overview creation. During the scanning process, all necessary information is stored in the corresponding local database. A major advantage of this feature, firstly, is that the network need not be overloaded with each overview that is run. Secondly, any overview results are available within a matter of seconds. The database contains the Access Control List of each folder (or file), group and user data from the LDAP, such as usernames, and data on (nested) group relations. In addition, Permission Analyzer supports a series of external databases, allowing data to be centralized and shared between multiple workstations. Please see chapter on External Database.
Configuring LDAP connections
Permission Analyzer will automatically detect your domain and Active Directory connection and will ask for a username and password to read information from the AD. Open the application preferences to add more LDAP connections, such as various domain controllers or a global catalog. Permission Analyzer supports multiple authentication protocols, such as (bind) username and password, Digest-MD5, Cram-MD5 or Kerberos. In addition, users can choose between plain, SSL/TLS or STARTTLS security protocols.
The default connection will use a bind user to read information from the Active Directory. The application asks for a username and password during the scan, which can be saved encrypted in the application preferences. See Data protection for more details about securing the data and preferences:
Adding directories and LDAP OUs
Directories can be limited by setting up a depth limit for the number of subdirectories, file scanning and scanning of local groups on the server of the directory. LDAP OUs can also be configured with a depth limit as well as selected scanning of users and/or groups. Permission Analyzer will at all times ensure that a comprehensive overview of nested group data is available by assessing the member and memberOf attributes of each user or group. As such, the scan may expand beyond the selected OU.
Note: because a universal group can have members from domains other than the domain where the group object is stored and can be used to provide access to resources in any domain, only a global catalog server is guaranteed to have all universal group memberships that are required for authentication. On the other hand, the global catalog stores the membership (the member attribute) of only universal groups. The membership of other groups can be ascertained at the domain level. Therefore, if applicable, make sure you add both the domain controllers as your global catalogue to ensure a complete overview of group memberships. Permission Analyzer will make sure that no duplicate memberships are stored.
Permission Analyzer will refresh the database with the current network statistics when a scan is initiated. You will also be able to choose to refresh the databases or LDAP OUs only. This will result in the application leaving user and group data unchanged in the former and the directory data in the database unchanged in the latter. Only items that are checked will be scanned by Permission Analyzer.
A scan may be initiated automatically by the application using the scan parameter. The application will then commence a scan with the current configurations and subsequently close. An LDAP or directory scan may be initiated using the -scanLDAP or -scanDirectories parameters.
You will be able to review the results of the final scan in the status list or in the Last_status_messages.csv file in the application directory.