Searching Member Access
The Search Member Access tab on the Roles & Member Sources screen enables you to check effective permissions for a user. This can be done if a user is assigned a role and that role is linked to policies. It provides additional information about effective permissions for a user on data elements mapped in policies. It will also show permissions for each policy and the final permission when multiple policies are connected to the datastore.
Note: Ensure that the policies are deployed to view the permissions.
It provides options to view effective permissions.
Simple view: It shows the final permission granted to a user on data elements mapped in policies. This consolidated view is ideal for quickly understanding the user’s overall access.
Advanced view: It shows a detailed breakdown of permissions. It displays both the final effective permission and the individual permissions granted by each policy.
For example; a policy user can be associated with multiple roles, each configured with distinct Data Element permissions. The table below illustrates that role R1 is directly linked to Data Element DE1 across Policies P1, P2, and P3. These policies are deployed to the same data store. As a result, role R1 inherits a combined set of permissions, forming an effective policy that merges all applicable role permissions for DE1.
Table: Policy Structure in the ESA
Policy Role User Data Element Permission P1 R1 U1 DE1 Protect (P) P2 R1 U1 DE1 Unprotect (U) P3 R1 U1 DE1 Reprotect (R) The following table lists the effective permissions after deploying the policies to same datastore.
User Data Element Effective Permissions U1 DE1 P, U, R In the context of the policy structure and effective permissions, the Simple view presents the final, effective permissions a user has on a data element, regardless of how those permissions were granted. This tells us that User U1 has the ability to Protect, Unprotect, and Reprotect data in DE1, without showing how those permissions were assigned.
The Advanced View breaks down the underlying policy structure, showing how permissions are granted through roles and policies. It’s useful for auditing, debugging, or understanding permission inheritance. This shows that:
- Role R1 is assigned to User U1.
- R1 is granted different permissions on DE1 across three policies (P1, P2, P3).
- When these policies are deployed to the same data store, the permissions are merged, resulting in the effective permissions shown in the Simple view.
To search member access:
On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Search Member Access.
Enter the search criteria in the Member Name textbox.
Click the Search icon.
The search results appear with the search member name, associated data store, member status, and view member permissions information.
Note: If multiple users have the same search member name, only the first 10 results will be displayed. For example, the search member name “test” will return results for the provided name, with variations like “test”, “testuser”, and so on. The search will display the first 10 matching results.
To avoid this, use an exact username instead of a common name for the search member name.In the View Member Permissions column, click the View Member Permissions icon. The Permissions dialog box appears.
Note: The Permissions dialog box displays information in the Simple View mode. It shows the member access set on Data Elements for the associated Data Store. It is displayed after policies and role permissions has been merged. You will also see how data is returned in the Output column.
Click the Advanced View button. The Permissions dialog box appears in the Advanced View mode.
Note: This mode includes a Role column that displays permissions derived from merged policies connected to the Data Store. It also includes a Policy [Role] column, showing the permission set for a role on a specific policy.
Feedback
Was this page helpful?