User Groups
System Predefined Groups
DDC has different kinds of users with different responsibilities in administering and using the system. A number of predefined groups are included to ensure that users are granted minimal permissions needed to perform their tasks while ensuring flexibility to meet security requirements across industries.
The table below lists all predefined groups with their rights to use various DDC features. R/W in a cell means that the user has view and edit rights to this aspect of the product. R means that the user has only view rights.
[1] Admins can see their own and other users' reports. Admins can also decrypt scan packages from the Hadoop database.
[2] DDC Admins can only see their own reports.
[3] DDC Report Admins can only see their own reports.
[4] DDC Full Report Admins can only see their own reports.
[5] The difference between Report Admins and Full Report Admins is that Full Report Admins do not need access to specific user defined groups to be able to view or generate reports that use data stores restricted to user defined groups. For more information, see "User Defined Groups" below.
[6] Scan Viewers are allowed to run scans.
[7] Can view the list of the agents, and activate or deactivate the "Local Storage Only" option.
[8] Can view the list of the agents, but are not allowed to activate or deactivate the "Local Storage Only" option.
[9] DDC Store Viewers, DDC Store Admins, and DDC L3 Support do not have access to custom infotypes.
The users belonging to the "L3 Support" group are Data Discovery and Classification Support Administrators. These users can help identify and troubleshoot issues you may encounter when using DDC. They can also can also decrypt scan packages from the Hadoop database.
User Defined Groups
Apart from system predefined groups, CipherTrust Manager also allows you to create User Defined Groups. User defined groups can be used to prevent certain users from viewing sensitive information in reports. These groups are defined by the Application Administrators, please refer to Managing User Defined Groups for further information. In DDC, they are applicable when creating a Data Store, in the Data Store creation wizard when you are granting access to selected groups. For details, see the ACCESS: Selected group/s setting in the "Tags & Access Control" section of any data store in Discovering Sensitive Information.
In other words, a data store that is restricted to a specific user defined group is visible to all the groups with permissions to see data stores, the same goes for scans. However, a user without a permission to see a data store which is restricted to a group, but with a permission to create and generate reports, will not be able to generate reports for those data stores. For this user, the scan executions will not be visible in the New Report wizard.
Note
The only users that do not have to belong to a specific user defined group to be able to see reports for all the data stores are Full Report Admins and Admins.
For example, if a user created a report that has Data Store "DS1" but the data store is restricted to a specific group, that user will see the report template, but when he tries to access the report he will get an "insufficient permissions" error.