Administration Guide › Data At Rest Scans › FSA User Accounts › FSA Run As User

FSA Run As User

This is the account that a scanning job runs as. You specify the FSA Run As user when you schedule a scanning job using the Job Definition wizard or when you log on to Windows before running a scanning job from a command line.

Choosing the Run As user

Important! When a scheduled scanning job is running, it is essential that nobody logs onto the target machine using the same account as the FSA!

If a user and the FSA are logged on to the same machine, at the same time, and using the same Windows user account, this can adversely affect the scanning job. The job may terminate prematurely or it may even fail to respond to attempts to terminate it manually.

For this reason, you must be careful when choosing the Run As user for a scheduled scanning job. Specifically, if you want jobs to run as your FSA limited access user or FSA full access user, we recommend that these users are bespoke accounts created for exclusive use by the FSA. Do not choose a Run As user that corresponds to a real user account if there is any possibility that this user will be logged on to the target machine while a scheduled scanning job runs.

Avoid this situation! The classic mistake is when a network administrator schedules a scanning job and enters their own domain account as the Run As user (because they know that they have access to all the required scan locations). While performing an unrelated task, they subsequently log on to the target machine while the scan is in progress, so causing the scan to fail.

Types of Run As user

There are two types of FSA Run As user, reflecting their different purposes:

'Limited Access' FSA Run As User

You can use the FSA to test whether sensitive documents stored on your network are accessible to unauthorized users. To do this, you set up a scanning job to run as a user with limited access to sensitive network locations. This is your 'limited access FSA Run As user'. In effect, the limited access user is a proxy for your ordinary network users.

'Full Access' FSA Run As User

You can use the FSA to scan the content of files stored on your network to determine if sensitive information is stored in the correct location or to identify files or documents with unauthorized content. (Indeed, this is often regarded as the 'classic' use for the FSA.) To do this, the FSA must be able to access remote file systems and delete files when instructed to do so as a result of policy processing. Specifically, the FSA must run as a domain user with permission to delete and copy files on any machines that you want to scan. This user is your 'full access FSA Run As user'.

Requirements for Run As user

If you want to scan:

Microsoft Exchange Public Folders

When scanning Exchange public folders, the FSA Run As user requires:

• An Exchange mailbox. You can typically create a mailbox at the same time as you create a new user account in Active Directory.
• Read access to Exchange Public Folders. However, the full access user needs Read and Write access to be able to copy or delete Public Folder items.

The FSA also requires a default e-mail application compatible with Microsoft Exchange, such as Microsoft Outlook.

Microsoft SharePoint

When scanning a SharePoint site, the FSA Run As user must be a domain user with:

• Local administrator rights on the SharePoint host machine.
• Read access to the SharePoint site being scanned. However, the full access user will need Read and Write access.

For full details, see the Stored Data Integration Guide; search for 'FSA user accounts'.