Introduction
About this Guide
System Requirements
Minimum Required Permissions
Required Ports
Performance Calculations
Deploying Classification in Identity Manager
Classification Overview
Required Components
Component Workflow
Activating Classification
Configuring Classification: Taxonomies, Categories, and Rules
Install the Classification Components
Enable Classification in the Designer
Identify the Classification Service Account
Deploy the Classification Server
Deploy Classification Workers
Enable and Disable Automatic Classification on Specific Managed Hosts
Enabling Categorization on Folders (Security Index Roots)
Managing the File Types to be Classified
Starting Initial Classification
Upgrade an Agent for Classification
Re-classify Data
Classification Application Roles
Troubleshooting the Classification Deployment
An Overview of Classification Configuration
Steps Required to Implement Classification
Creating Taxonomies
Appendix A: PowerShell Commands
Working with Taxonomies
Implementing Rules for Automated Categorization
Creating a Taxonomy
Importing and Replacing Taxonomies
Editing a Taxonomy
Deleting a Taxonomy
Exporting Taxonomies
Working with Categories
How Rules Affect Categorization
Managing Rules in the Classification System
Classifying Resources
When Do Categorization and Classification Occur?
Managing the Life Cycle of Taxonomies and Categories
Creating a Rule
Editing a Rule
Associating Rules to Categories and Applying Rule Weights
Deleting a Rule
Advanced Rule Applications
Working with Text Extractors
Identifying Text Extractors used within the System
Creating Text Extractors
Validating the Text Extractor
Editing Text Extractors
Removing Text Extractors
Working with Regular Expression Text Extractors
Working with Dictionary Text Extractors
Managing Public Dictionary Text Extractors
Managing Protected Dictionary Text Extractors
Managing Dictionary Text Extractors with PowerShell
Working with Advanced Text Extractors
Testing and Reviewing Automated Classification
Testing a Rule against a Resource
Testing all Rules Against a Resource
Viewing the Text from a Resource
Determining Why Categorizations Were Applied to a Resource
Viewing Categorized Resources
Making a Category Available to the Classification System
Adding the PowerShell Snap-ins
Finding a Taxonomy, Category, or Extractor ID using PowerShell
Deploying the Classification Server and the Classification Worker
Troubleshooting Deployment
Managing Taxonomies
Appendix B: Oracle Configuration
Appendix C: Classifying Data with Data Governance Templates
Available Templates
Appendix D: Creating a Taxonomy to Classify Data
Viewing Classified Resources
You can view the resources in each of the classifications in your system. Classification is an indication of the risk of the content in a resource. If you are a business owner, and want to see how your owned resources are classified, the information is contained in the hyperview on the Overview tab for the resource. Classification analysts and business owners can use the Classified Resources view: classification analysts can get an overview of classification across the deployment, and business owners can view their owned and classified resources.
To view classified resources
- Select Governed Data | View Resources | Classifications.
- Click a classification.
- Click Resources.
- Select the host for the resources.
When Do Categorization and Classification Occur?
Automatic categorization follows this process:
- The text is extracted from the resource.
- All rules are run against the resource, and the matches are noted.
- The matches are compared to the available automated categories in the system, which results in a list of potential categorizations.
- Based on the category settings, categorization may occur.
- Based on the category risk, classification of governed resources may occur.
 |
Only resources on scanned hosts with classification turned on are eligible for categorization. For more information, see Enable and Disable Automatic Classification on Specific Managed Hosts. |
You should work with your Data Governance administrator to ensure you understand when classification occurs, particularly as you implement changes in the production environment. There are a number of factors that influence the timing of classification:
- For each host (for example, remote server, SharePoint farm) on which you are categorizing resources, a scan schedule can be set. Categorizations on new resources, and changes to categorizations based on changes to the taxonomies in your environment occur based on this schedule.
- The time a scan takes is a function of both the amount of data on the host, and various deployment variables. For more information, see Classification Overview.
- Some types of hosts watch for changes to content. When resources are added to the monitored data roots on the host or existing resources are changed, all rules are run against the resource and any resulting changes will be immediately reflected.
For information on configuration options for local, remote, and SharePoint managed hosts, see the Quest One Identity Manager Data Governance Edition User Guide.
When is a security root initially categorized?
| Local NTFS | Resources are categorized when a new security index root added and enabled for classification. Note: Enabling classification on a previously configured root does not trigger classification for the files in the root. |
| Remote managed host (NetApp®, EMC, and Windows) | Resources are categorized on the next scheduled scan or on an agent restart if the “Immediately scan on agent restart” option is enabled. |
| SharePoint | Resources are categorized on the next scheduled scan or on an agent restart if the “Immediately scan on agent restart” option is enabled. |
When are newly added/modified files categorized?
| Local NTFS | When creation/modification detected by live change watching or when an agent is restarted. |
| Remote managed host (NetApp, EMC, and Windows) | When creation/modification detected by live change watching, or on the next scheduled scan, or an agent restart if the “Immediately scan on agent restart” option is enabled. |
| SharePoint | On the next scheduled scan or on an agent restart if the “Immediately scan on agent restart” option is enabled. |
When does a file re-classification occur?
For all types of hosts:
- Resources will be re-classified if the file has been changed
- When the Request-QClassification command is run on the managed host where the file is located. This command re-classifies all files. This is useful if you have updated your rules and all files need to be reclassified.
What happens when an agent is restarted?
| Local NTFS | All security roots are re-scanned and files that were not classified are sent for classification. |
| Remote managed host (NetApp, EMC, and Windows) SharePoint |
If the “Immediately scan on agent restart” option is enabled, all security roots are re-scanned and files that were not classified are sent for classification |
Managing the Life Cycle of Taxonomies and Categories
Over time, you may deploy and change multiple taxonomies. Changes to taxonomies once they are in production requires careful management in order to ensure the most accurate system with the least amount of disruption.
Taxonomy Deployment Considerations
Using Quest One Identity Manager to deploy a taxonomy is very simple—create a taxonomy with at least one published category, and your system can yield results. However, practically speaking, there are many things to consider before you deploy a taxonomy in your production environment. Once you publish your first category, business owners may begin manually categorizing resources. Data Governance administrators, classification analysts, compliance officers and management all play a role in a successful classification deployment. Before you reach this point, you should have a plan in place for rolling out your taxonomies. For example:
- Consider your approach for rolling out your categories. You may want to bring categories online slowly to carefully review the results, or you may want to deploy an entire taxonomy at once so that business owners can make informed decisions when working with their categorizations.
- Data Governance administrators should consider what data to begin classifying. Start with data that you understand, as it will help you verify the accuracy of the system. You can scale out scanning as you understand the network and computing load of classification.
- Classification analysts should design taxonomies should serve a single purpose. For example, if you require both Personal Health Information (PHI) and Payment Card Industry (PCI) taxonomies, they should be separate taxonomies, not branches of the same one. This allows users to manually override within an individual taxonomy, and continue to have the system automatically categorize within other taxonomies.
- Compliance officers should consider when policies and attestations that use the results of categorizations will be rolled out. Business Owners and Compliance Officers will see violations on published categories referenced by policies and attestations.
- In order to ensure that the system has the intended results, you should consider the communication and education strategy that you will use to accompany initial and subsequent deployments.
- The timing of changes should be considered. It takes time for new categories and changes to existing categories to flow through the system, depending on the volume of data, and the scan schedule. During this time, it is possible that business owners may manually apply a category they think appropriate, which will prevent further automated classifications for that taxonomy.
- A workflow for deployment should be planned. See Deploying a Taxonomy for more information.