Identity Governance Permissions are like Identity Manager's concept of Entitlements. As such, the review process for these entitlements are binary – “yes,” the user should have the Permission (Entitlement) or “no,” the user should not. These entitlements are not the actual rights to resources themselves, but rather a group or role which is directly assigned a set of rights for a resource represented by the entitlement.
File system rights are not intrinsically as simple:
Different rights might exist for the same user on different folders in the hierarchy.
The number of discrete file system rights and the combination of those rights for a given file or folder can be rather extensive.
The exact meaning of many file system rights is too in-depth for a business-level review.
To map these low-level file system rights to identities, and not just groups, roles, or entitlements, we need a way to model those rights as an entitlement construct. Data Access Governance aggregates any assigned file access rights in the Target Path’s hierarchy into a single set of projected or “virtual” entitlements represented at the Target Path level. These virtual entitlements are displayed as Permissions in an Identity Governance review providing a simple binary approval process for Read, Write and Change Permissions access for each defined Target Path.