Access Governance V2 (Activity Logging)

Overview

Access Governance V2 extends the existing Access Governance capabilities by introducing Activity Logging and Stale File Detection. This enhancement captures real-time user activities across supported data sources and provides comprehensive insights into file usage patterns, enabling organizations to optimize storage, improve security posture, and maintain compliance through data-driven access decisions.

Data Collection and Policy Activation Timeline

Stale File Policy Evaluation Logic

The stale file detection system includes built-in safeguards to prevent false positive alerts during the initial data collection period.

Minimum Data Requirement: Stale file policies require a complete 90-day activity data collection period before triggering any alerts. This prevents the system from incorrectly flagging active files as stale during the initial monitoring setup.

Progressive Accuracy: During the first 90 days after enabling activity logging, the system focuses on data collection rather than policy evaluation. For example, if only 10 days of activity data are available, the policy remains dormant to avoid marking recently accessed files as stale.

Evaluation Activation: Once the system confirms it has captured 90+ days of complete activity logs across all monitored data sources, the stale file policy automatically begins its daily evaluation cycle.

Backend Validation: The system continuously validates data completeness before each policy run, ensuring that alerts are generated only when sufficient historical context is available.

Activity Data Granularity: All user activities are aggregated into one-hour time blocks for storage efficiency and performance optimization. Individual file interactions within each hour are summarized rather than stored as discrete events.

Key Features

• Real-time Activity Tracking: Capture and monitor user file interactions (read, write, delete operations) across data sources

• Stale File Detection: Automatically identify files not accessed within configurable timeframes

• Enhanced User Analytics: Hourly activity summaries with drill-down capabilities

• Cross-User File Activity: View all user activities for specific files with timestamps

• Automated Policy Management: Auto-generated stale file policies with dynamic updates

• Historical Data Analysis: Maintain activity history for comprehensive policy evaluation

Prerequisites and Requirements

Existing Requirements

• Access Governance must already be onboarded and configured for your organization

• All standard Access Governance permissions and configurations remain unchanged

Additional V2 Requirements

Azure Portal Permission

Access Governance V2 requires one additional permission in your Azure portal configuration:

Permission: ActivityFeed.Read

Configuration Steps:

1. Navigate to Azure Portal → App Registrations

2. Select the application used for Access Governance integration

3. Go to API Permissions → Add Permission

4. Add ActivityFeed.Read permission

5. Grant admin consent for the permission

Note: This permission can be added to the existing application credentials used for Access Governance - no separate application registration required.

Feature Flag Configuration

Access Governance V2 operates under a backend feature flag managed by the CST (Customer Success Team):

• Flag Name: actual_access

• Default State: false (disabled)

• Management: Controlled by CST team during deployment

• Activation: Contact your CST representative to enable V2 features for your environment

Supported Data Sources

Access Governance V2 currently supports the following data sources:

Note: All supported data sources follow identical configuration flows and UI interfaces. Additional data sources may be added in future releases.

Viewing through Access Governance:

Configuration and Setup

For New Access Governance Deployments

1. Navigate to Directory Services

   • Access Path: Governance → Access Governance → Directory Services

   

   

• Click on the specific directory to edit.

1. Enable Activity Logging

• Locate the "Enable/Disable" toggle for audit logs

• Toggle "Enable" to activate activity logging

1. Automatic Synchronization

• Users and groups will sync automatically (standard Access Governance process)

• Activity logging begins immediately after enablement

Navigation Workflow: From Access Governance to Object Activity Logs

Complete User Activity Analysis Workflow

Step 1: Access User Management

• Navigate to Governance → Access Governance

• Select Users from the left navigation panel

• Browse departments or search for specific users

Step 2: Select Target User

• Click on the desired user from the user list

• Or search for a user using the Search bar

Step 3: Access Activity Log

• Click the new "Activity Log" tab in the user profile

• View hourly activity summaries across all connected data sources

• Activity Log Columns:

  • Datasource: Indicates the source of the activity, such as OneDrive, SharePoint, or SMB.

  • Read Count: The total number of read operations recorded during the specified time interval.

  • Write Count: The total number of write operations recorded during the specified time interval.

  • Delete Count: The total number of delete operations recorded during the specified time interval.

  • Objects Count: The total number of unique objects (e.g., files, folders) accessed during the specified time interval.

  • Start Time: The timestamp for the beginning of the one-hour aggregation interval for the recorded activity.

The Activity Log interface allows users to filter and refine the displayed activity records based on multiple criteria, such as data source and date range. This enables efficient investigation of specific events.

• Filter by Data Source:

  • To isolate activities from a specific platform, click the Data Sources filter.

  • A dialog appears, presenting a list of available sources.

  • Select the desired source (e.g., lb-sharepoint) and click Apply.

• The Activity Log table refreshes to show only the records from the selected data source. The filter control updates to indicate that one filter is active.

• Add a Date Filter:

  • To further narrow the results, click the Date filter.

  • This action reveals a calendar widget that provides options for predefined periods (e.g., Last 7 Days, Last 30 Days) or allows for the selection of a Custom Date Range.

After a date range is selected, the system applies the second filter. The Activity Log now displays a highly specific list of entries that meet both the data source and date range criteria. The filter bar updates to show the total number of active filters (e.g., All filters (2/2)).

Step 4: Navigate to Object-Level Activity Analysis

• From the filtered list, click on any specific datasource

• This will display a list of objects

• Click on any specific object name. For example, mortgage_application_felicia_granger.pdf

• System opens the Object Viewer for the selected file

• Navigate to the "Accessible" tab within the object viewer

• Within the Accessible tab, locate the "Recent Activity" tab

• Click "Recent Activity" to view cross-user file activity

Cross-User Activity View Features:

• User Column: Shows all users who have accessed the file

• Access Type Column: Displays operation type with color coding:

  • Read: Purple/pink badge for read operations

  • Write: Blue badge for write operations

  • Delete: Additional badge type for delete operations (when applicable)

• Date & Time Column: Precise timestamps for each user interaction

• Activity Count: Shows total activity logs (e.g., "1-3 Of 3 Activity Log(S)")

Alternative Navigation: Viewing Object Activity from a Datasource

In addition to using the main Activity Log, users can investigate file activity by starting from a specific data source. This path is useful for analyzing all objects and their interactions within a single, selected source.

The workflow is as follows:

• From the main navigation bar at the top of the page, select Datasources.

• From the list of available connections, select the data source you wish to investigate (e.g., lb-sharepoint or lb-onedrive).

• In the left-hand sidebar menu for the selected data source, navigate to the Objects page, located under the Governance section.

• The Objects page categorizes files based on their access levels. Select the appropriate tab to browse the desired list of objects, such as All Objects, Open Access, or Excessive Access.

• Locate and select the target file from the list.

This action opens the Object Viewer, a detailed pane dedicated to that specific file.

• Within the Object Viewer, navigate to the Accessible tab and then select the Recent Activity sub-tab.

The view will now display a log of all recent user interactions specifically associated with the selected file.

Stale File Policy

The Stale File Policy is a data lifecycle management feature designed to identify files that have not been accessed for a specified period. This allows organizations to automate data cleanup, reduce storage costs, and minimize their security attack surface by archiving, deleting, or reviewing inactive data.

Example Scenario: A file flagged as stale on Day 91 of monitoring will automatically disappear from stale file alerts if accessed on Day 92, demonstrating the system's responsive policy management.

Stale File Policy Management

This section outlines how to access and configure the Stale File Policy rule sets.

Accessing Stale File Policies

• Navigate to the Playbooks module from the main navigation menu. The dashboard displays various policy categories.

• In the DATA LIFECYCLE section, locate and select the Stale Files policy card.

Clicking the card opens the policy detail page, which provides a description and a list of all existing rule sets organized by data source (e.g., Stale Files - lb-smb).

Editing an Existing Stale File Policy

To modify a policy, follow the steps below to open the policy editor.

• On the policy detail page, locate the target rule set in the list (e.g., Stale Files - lb-onedrive).

• Click the ellipsis icon (⋯) in the Actions column corresponding to that rule set.

• Select Edit from the dropdown menu to launch the multi-step policy editor.

Step 1: Configure Rule Set Criteria

• Policy Details

  • Policy Type: The policy type is fixed as Data Lifecycle: Stale Files and cannot be changed.

  • Rule Set Name: The policy name is fixed as Stale Files: lb-onedrive and cannot be changed.

  • Rule Set Description: You can edit this field as required to provide a description for the rule set.

  • Retention Details:

    • Stale File Criteria: This defines the primary condition. The configuration Consider a file stale if it has not been is paired with the following options:

• Access Type: Select Last accessed time is from the dropdown.

• Time Threshold: Configure a numerical value and a time unit (Hour(s), Day(s), Week(s), Month(s), Year(s)).

Example: To flag files not accessed in the last 60 days, configure the rule as: Last accessed time is More than 60 Day(s) ago.

Note: When an alert is triggered by this policy, you can take actions on the identified items, such as revoking access, deleting files, archiving data, or applying a legal hold.

• Click Next → to continue.

Step 2: A. Configure Drive Scope

In this step, you will confirm the data source for the rule set and refine the policy's scope by configuring specific inclusions, exclusions, and archival locations.

The data source for this rule set (e.g., lb-onedrive) is already selected. Your primary actions on this screen are to define the conditions within that source.

• Configure Drive Scope and Exclusions: To include or exclude specific drives, groups, or user accounts within the data source, click the All drive(s) included link. This opens a dialog where you can precisely define which parts of the data source the policy will scan.

1.Choose a Scan Option

First, select one of the two primary scanning methods:

• Scan all Drives and Groups (Default): Choose this option to apply the policy to the entire data source except for the specific drives or groups you add to the exclusion list.

• Scan selected Drives and Groups: Choose this option to apply the policy only to the specific drives and groups you explicitly add to an inclusion list.

2. Define the Exclusion List

If you select "Scan all Drives and Groups" as shown in the screenshot, you can then specify which items to exclude from the policy scan.

1. In the Input Personal Drive field, enter the name or email address of the user drive you wish to exclude (e.g., [email protected]).

2. Click the Add button.

3. The system adds the drive to the list below, and the counter tracking the number of excluded items will update.

4. Repeat this process to exclude additional drives or use the search bar to find and add other groups.

3. Save the Configuration

Once you have finished defining the scope, click Save to apply your changes and return to the main policy configuration screen.

Step 2: B. Setting an Archival Location

For policies that may result in archiving files, you must specify a destination folder. This ensures stale files are moved to a designated, secure location as part of the data lifecycle management process.

• Click the Add Location + button.

• The Archival location dialog will appear. It confirms the Data Source (e.g., lb-onedrive) that the path will apply to.

• In the required Folder Path field, enter the full path to the destination folder where you want stale files to be moved (e.g., Onedrive/folder-path/).

• Click Save to confirm the location.

The system will now use this path for any automated archival actions triggered by this policy rule set.

• Click Next → to proceed to the "Alert & Notifications" step.

Step 3: Configure Alerts & Notifications

In this step, you will configure who receives alerts for policy violations and define the properties of those alerts.

• Enable Alerts: To generate alerts for this policy, select the Enabled radio button. This setting is typically enabled by default for new policies.

• Assign Primary Alerts: Under Assign Alert to, choose the primary recipients for notifications.

  • Datasource Owner(s): (Default) Sends alerts to the administrators responsible for the data source.

  • Object Owner(s): Sends alerts directly to the individual owners of the files that trigger the policy.

• Add Notification Recipients: To notify other stakeholders, enter their names or email addresses in the Alert Notification field. Press Enter after each entry to add them to the notification list.

• Set Alert Severity: Select an appropriate severity level from the dropdown menu. For stale file policies, Warning is the standard selection.

• Link to Regulations (Optional): If this policy is enforced to meet a specific compliance requirement, select the applicable regulatory framework from the dropdown menu to create a link for reporting and auditing purposes.

After you have configured the notifications, click Next → to proceed to the automation step.

Step 4: Review and Save Policy

This is the final step of the policy configuration process.

• Review Automation Status: Automated actions are not currently active for this policy configuration.

• Verify Configuration: Use the Summary panel on the right side of the screen to perform a final review. Confirm that all settings, such as the Retention Period and Alert configuration, are correct.

• Save the Policy: Once you have verified the settings, click the Save & Close button to finalize and apply the changes to the policy rule set.

Confirmation: The system displays a success message: "Policy successfully updated" with a green checkmark indicator.

Viewing and Managing Stale File Policy Alerts

Managing Stale File Alerts

1. Go to Playbooks → Data Lifecycle: Stale Files.

2. Select Rule Set: Click a rule set with a red alert badge to see its active alerts.

• Open an Alert: The Unresolved Alerts tab lists all policy violations. Prioritize by reviewing the Impact (object count) and click on an Alert Name to investigate.

2. Analyze the List of Impacted Files

The Objects Impacted tab is your primary workspace for remediation. It lists every file that triggered the alert.

• Filter First: Before reviewing, always use the dropdown filters (State, Risk Score, External Users) to narrow down large lists and focus on the most critical items.

• Review Key Details: Scan the list to understand the risk of each file.

  • State: Shows accessibility (e.g., Open).

  • Risk Score: Indicates urgency; a higher score means higher risk.

  • Last Accessed Time: A dash (--) confirms the file is stale.

3. Investigate a Specific File

For a deep-dive analysis of a single high-risk file:

• Click the file's name in the list to open the Object Viewer.

• In the viewer, look for the prominent Stale File label in the header.

4. Take Action and Resolve

After identifying files for remediation, you can take action directly from the Objects Impacted tab.

• Select the checkboxes next to one or more files.

• Click the Actions button to open the menu.

• Choose a bulk action:

  • Resolve: Mark the alerts for the selected files as handled.

  • Reassign: Transfer responsibility for the items to another user.

  • Add to 'No Scan List': Exclude the selected files from this policy's future scans.

  • Delete from source: Permanently delete the files.

  • Archive: Move files to a pre-configured archive location.

  • Revoke Access: Remove user access permissions from the files.

• You can also use the Export CSV button to download the filtered list for reporting or offline analysis.

Advanced Troubleshooting

Activity Logging Issues

Missing Activity Data After Enablement:

• Verify that the ActivityFeed.Read permission was successfully granted and admin consent was provided

• Check that the actual_access feature flag has been activated by your CST team

• Confirm that users are actively accessing files in the monitored data sources

• Allow 1-2 hours for initial activity data to appear in the interface

Inconsistent Activity Counts:

• Activity aggregation occurs hourly, so recent user actions may not immediately appear in reports

• Cross-reference activity data with user reports of file access to identify potential synchronization delays

• Contact support if activity counts consistently underreport known user interactions

Policy Evaluation Delays:

• Stale file policies evaluate daily, typically during off-peak hours

• Newly accessed files may remain in alert status for up to 24 hours after access

• Monitor the "Last occurred" timestamp in alert details to track policy evaluation cycles

Performance Optimization

Large Dataset Management:

• Apply data source and date range filters before loading activity logs with thousands of entries

• Use the export functionality for complex analysis requiring external tools

• Consider breaking large investigations into smaller, focused queries using the available filter options

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected]