Understanding ACL Synchronization in Veritas Alta SaaS Protection

Description

1. The Source ACL is discovered during the archive’s collection process. As content is archived the ACL information is analyzed and captured in Veritas Alta SaaS Protection.
2. The Sharing ACL is an additional access rights granted through Veritas Alta SaaS Protection optional sharing feature. For instance, a Sharing ACL record is generated whenever a user generates a sharing link to an item or folder from the Veritas Alta SaaS Protection User Portal.

Veritas Alta SaaS Protection maintains both sets of ACL information on all items and folders. During ingestion, ACLs are fully expanded and Veritas Alta SaaS Protection attempts to resolve the SID of each ACL member to a principal object (user identity or group) from the latest directory synchronization.

By maintaining a mapping of the ACL members of folders and items to actual identities, Veritas Alta SaaS Protection delivers low-level identity-awareness in the context of eDiscovery (e.g. custodian search) and policies that leverage custodian and/or data owner clauses.

This ACL mapping also serves end-user access to data through the Veritas Alta SaaS Protection User Portal.

Here is a closer look at the ACL synchronization process during ingestion:

1. Connectors scrape item and folder ACLs from data sources.
2. Connectors pass ACL information to the Veritas Alta SaaS Protection Connector Service (HCS).
3. Via a Web App (not shown) the HCS passes ACL information which is recorded as ‘Source ACLsʼ and resolved to identities.
4. The Veritas Alta SaaS Protection Database maintains ‘Source ACLsʼ and any additional ‘Sharing ACLsʼ created from sharing.
5. Both types of ACL information are updated in the search index as part of any indexing task.

Before digging deeper into how Veritas Alta SaaS Protection synchronizes ACLs into the index for search security, let's first explore Veritas Alta SaaS Protection's concept of shadow users.

1. is external to your organization;
2. is no longer present in the directory;
3. or has yet to show up through the directory synchronization process.

In this case, Veritas Alta SaaS Protection creates shadow profiles (called shadow users), which it uses to resolve the SID / ACL member to. This provides the following advantages:

1. If the identity later shows up in directory synchronization, Veritas Alta SaaS Protection will automatically reconcile the user with the data they have access to;
2. If the user is external or no longer with the company, the shadow user profiles serve as an object that can be used for data governance and eDiscovery purposes. They can be targeted in searches and policies.

For more information on Veritas Alta SaaS Protection ACL synchronization into the search index, see Security trimming of Veritas Alta SaaS Protection search results.