A reviewer is unable to see events in the iConsole where the events are utilising Data at rest policy, even though the groups and permissions look to be correct.
A user set up as an Administrator account (no RLS) can see all events including events using the Data at Rest policy, but a reviewer is unable to see them all...
Is RLS (Row Level Security) applied to events that are using the Data at Rest policy for the reviewer?
The issue is the type of Security model set up for the reviewer.
The Administrator account has no RLS applied, the security model is 'Unrestricted' and is able to run a review in the iConsole that is not 'restricted' by RLS, so is able to review all the Data at Rest file movement based on a policy firing.
The reviewer in question has the default management group security model, which is seen in the Admin console under tools>manage security models.
The reviewer added in this question/case would also need access to the 'Policy model' as the data at rest policy is not user (RLS) based, in order to see Data at rest Policy violations/events -see user properties for type of security model applied to that reviewer.
It is common to apply a type of hybrid approach to this (including the reviewer having access to events activated by policy as well as by group management).
However, if the reviewer is only required to see the Data at rest policy events, only the Policy model is required.
To explain further why the logic works like this, it is simply that a user may have access to a machine that they are copying a file to, the recipient machine may not be user based if the file is open to anyone logging onto that machine (name), so it would be incorrect to record file movement to another user. As this is the case, only the machine name is captured.
The computer name is stored in the wgn3address table from where we applied the Scan job.
This name we cannot map in the Admin console to any user or reviewer. so we cannot view the associated events with management security model.
To resolve this issue, we need to map the reviewer to policy model. Please see the admin guide and the iconsole guide for setting up a reviewer to see events by policy.
To use both the managed group and the Policy model, a hybrid model is required.
In order to set up the hybrid user account.
Note: DBA may be required to create hybrid user and schema in order to progress.
Initial setup was to see All Policies, which the current data had classes already set, the reviewer could successfully see the required events.
It is possible to create additional Classes of events which can then be added to a refined policy role.
Note: when testing, the new data classes will not be in the events until they are triggered again. (fresh run and usage required).