Introduction
About this Guide
System Requirements
Minimum Required Permissions
Required Ports
Performance Calculations
Deploying Classification in Identity Manager
Classification Overview
Required Components
Component Workflow
Activating Classification
Configuring Classification: Taxonomies, Categories, and Rules
Install the Classification Components
Enable Classification in the Designer
Identify the Classification Service Account
Deploy the Classification Server
Deploy Classification Workers
Enable and Disable Automatic Classification on Specific Managed Hosts
Enabling Categorization on Folders (Security Index Roots)
Managing the File Types to be Classified
Starting Initial Classification
Upgrade an Agent for Classification
Re-classify Data
Classification Application Roles
Troubleshooting the Classification Deployment
An Overview of Classification Configuration
Steps Required to Implement Classification
Creating Taxonomies
Working with Categorized Resources
Working with Taxonomies
Implementing Rules for Automated Categorization
Creating a Taxonomy
Importing and Replacing Taxonomies
Editing a Taxonomy
Deleting a Taxonomy
Exporting Taxonomies
Working with Categories
How Rules Affect Categorization
Managing Rules in the Classification System
Classifying Resources
When Do Categorization and Classification Occur?
Managing the Life Cycle of Taxonomies and Categories
Creating a Rule
Editing a Rule
Associating Rules to Categories and Applying Rule Weights
Deleting a Rule
Advanced Rule Applications
Working with Text Extractors
Identifying Text Extractors used within the System
Creating Text Extractors
Validating the Text Extractor
Editing Text Extractors
Removing Text Extractors
Working with Regular Expression Text Extractors
Working with Dictionary Text Extractors
Managing Public Dictionary Text Extractors
Managing Protected Dictionary Text Extractors
Managing Dictionary Text Extractors with PowerShell
Working with Advanced Text Extractors
Testing and Reviewing Automated Classification
Testing a Rule against a Resource
Testing all Rules Against a Resource
Viewing the Text from a Resource
Determining Why Categorizations Were Applied to a Resource
Viewing Categorized Resources
Making a Category Available to the Classification System
Working with the Categorization of Your Resources
Appendix A: PowerShell Commands
What Categories Can You Apply?
Working With Manually Categorized Resources
Working With Automatically Categorized Resources
Categorization Statistics and Views
Adding the PowerShell Snap-ins
Finding a Taxonomy, Category, or Extractor ID using PowerShell
Deploying the Classification Server and the Classification Worker
Troubleshooting Deployment
Managing Taxonomies
Appendix B: Oracle Configuration
Appendix C: Classifying Data with Data Governance Templates
Available Templates
Appendix D: Creating a Taxonomy to Classify Data
Exporting Taxonomies
Exporting allows you to move taxonomies between environments, distribute custom taxonomies, and create backups. For example, if you maintain a development environment, you can export from your development environment and import to your production environment.
Taxonomies consist of categories, which are associated with rules, which in turn may refer to text extractors. All components will be included in the exported taxonomy and a publisher, if it does not currently exist, will be applied. The publisher will help you to identify taxonomies that you have created for your organization or for distribution.
To export a taxonomy using the web portal
- Select Governed Data | Categorization Manager |Taxonomies.
- Locate the row containing the taxonomy, and click Export.
- Enter the publisher and click Export.
The publisher will help to identify taxonomies, categories, rules, or text extractors that you have created and plan to distribute or backup. Note: The publisher will be applied to any categories, rules, and text extractors that do not have an existing publisher. - Close the export dialog box and download and save the taxonomy template xml file with your browser to your preferred location.
The taxonomy is now available to be distributed. Whether it will be imported or upgraded depends on if it is currently deployed in the target environment. For information on importing see Importing and Replacing Taxonomies.
To export a taxonomy using PowerShell
- Determine the ID of the taxonomy you want to export.
See Finding a Taxonomy, Category, or Extractor ID using PowerShell for details. - Run the Export-QTaxonomy command with the following mandatory parameters:
- ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. Enter in the form computername:port number. The default port is 8723. - TaxonomyId
- Publisher
If a publisher does not currently exist, you can supply one.
The publisher will help to identify taxonomies, categories, rules, or text extractors that you have created and plan to distribute or backup. Note: The publisher will be applied to any categories, rules, and text extractors that do not have an existing publisher.
- ServerAddress
- If desired, you can set the following optional parameter:
- OutputFile
Provide the path to a file to store the template XML.
The taxonomy will be output to the screen if you omit this step.
- OutputFile
Working with Categories
Contents
The proper configuration of a category is integral to a properly working system. Categories should be created and refined in test mode, and published when they are ready to be used in your production environment. Deployments of categories should be properly managed. See Managing the Life Cycle of Taxonomies and Categories for more information.
You can work with categories using the following methods:
- Web Portal, under the Governed Data node
- Powershell snap-in (see Adding the PowerShell Snap-ins)
Each category has a number of settings, which have an impact on the category’s behavior. In the table below, the parameter in brackets is the PowerShell equivalent of the setting in the Web Portal.
 |
You can quickly view all the settings applied to a category through the Categorization Manager to better understand your deployment. Simply select the category of interest to see its current settings. |
| Setting | |
| Category Risk (Risk) |
Indicates the relative risk of the category. This is then used to determine how a resource is classified. For more information, see Classifying Resources. |
| Publish this category (IsPublished) |
Makes a category available for manual categorization. You must also enable this for automation to work. Publish a category only when you are ready for business owners to have access to it. A subcategory must have a published parent category. If you publish a subcategory, and the parent is unpublished, the action is ignored. |
| Allow this category to be used by the automated system (IsAutomaticClassificationEnabled) |
You can make a category available to the classification system. Automated categorization is based on the rules associated with the category, so you should associate rules and test the category before automating it. Automation will not take place until the category is published as well. |
| Govern using this category (CausesGovernance) |
When a category that causes governance is applied to a resource, that resource is placed under governance and can be managed using the Web Portal. Resources under governance can be subject to policies and attestations. |
| Mutually Exclusive (IsMutuallyExclusive) |
The mutually exclusive setting applies to the children of a category. If a category has been defined as mutually exclusive, only a single subcategory can be applied to a resource. For example, consider a category in your taxonomy called PHI, which has three subcategories: Level 1, Level 2, Level 3. If PHI is set to mutually exclusive, you can only apply one of the subcategories. To create an entire taxonomy that is mutually exclusive, so that only one category can be assigned from the taxonomy, all parent categories must be set to mutually exclusive. When more than one category could be applied to resource based on the associated rules and category threshold, the category with the highest combined rule score is applied. |
| Strictly Ordered (IsStrictlyOrdered) |
Strictly ordered is a special kind of mutual exclusivity, in which the order of the subcategories has meaning. When more than one category could be applied to a resource based on the associated rules and category threshold, the category closest to the parent category will be applied. For example, if your categories are Level 1 and Level 2, in that order, and either category could be applied, in this case Level 1 will be applied. If you are planning on creating a strictly ordered category, ensure you enter the subcategories in the correct order. There is no way to change the order of subcategories once they are created. You must delete and recreate the categories, including assigning the rules. |
| Threshold | The threshold value determines whether a category is applied. If the cumulative weight exceeds the threshold, the category is applied. Combined with the weights given to a rule when you associate it, and the match strength of the rule, the threshold controls whether the category is applied. Note: The default threshold is one. For a full explanation, see How Rules Affect Categorization. |
See also
Creating a Category
A category requires a parent, which can either be the top level taxonomy node or any category in the taxonomy. By default, new categories:
- are created in test mode, and are not available for manual or automated categorization.
- do not cause governance.
- have a threshold value of one.
- are not mutually exclusive.
 |
You should not change these values without fully understanding the implications for your classification system. For more information, see Working with Categories. |
Each category can only belong to a single taxonomy. If you have created a category in one taxonomy and want to move it to another, see Moving a Category.
To create a category using the web portal
- Select Governed Data | Categorization Manager | Taxonomies.
- Locate the row containing the taxonomy, and click Edit.
-OR-
Create a taxonomy as outlined in Creating a Taxonomy, and click Save. - Select the parent category of the new category.
To create a first level category, select the top level taxonomy node, otherwise select the category under which you want the new category to appear. - Click Add.
- Provide a name and optional description for the category.
- Set the risk value.
- If you are ready to allow business owners to use this category to manually categorize their resources, select the Publish this category check box.
You should not make a new category available for use by the automated system, as this requires the association of rules to the category. For more information, see Associating Rules to Categories and Applying Rule Weights. - If you want all resources categorized with this category to be governed, select the Govern using this category check box.
- If you plan to allow only one subcategory of this category to be applied to a resource, select the Mutually Exclusive check box.
- If you want the order of the categories to influence categorization, select the Strictly Ordered check box.
- Click Save.
Your new category appears nested under its parent category. You can now associate rules with the category and assign the required weight and the threshold that must be met for the category to be applied. For details see, Modifying the Category Threshold and How Rules Affect Categorization.
To create a category using PowerShell
- Make sure you know the ID of the parent category. For more information, see Finding a Taxonomy, Category, or Extractor ID using PowerShell.
To create a first level category, provide the ID of the taxonomy root. - Run the Add-QCategory command with the following mandatory parameters:
- ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. Enter in the form computername:port number. The default port is 8723. - ParentCategoryID
To create a first level category, use the ID of the parent taxonomy, otherwise use the ID of the category under which you want the new category to appear. - Name
- ServerAddress
- Additionally, you can use the following optional parameters:
- Description
- Risk
- CausesGovernance
By default, this is set to $false. - IsPublished
You should only set this to $true if you are ready for business owners to use this category for manual categorization.
You should not set IsAutomatedClassificationEnabled to $true, as automated categorization requires the association of rules to the category. For more information, see Associating Rules to Categories and Applying Rule Weights. - IsMutuallyExclusive
Set this to $true if you plan to allow only one subcategory of this category to be applied to a resource. - IsStrictlyOrdered
Set this to $true if you plan to allow only one subcategory of this category to be applied to a resource, and you want this based on the order of the categories. - Threshold
The default value is one. You should not change this unless you have already determined the rules you plan to associate and the weights for these rules. For more information, see How Rules Affect Categorization.
How Categories Work Together: Mutual Exclusivity, Strict Ordering and Inheritance
Categorization occurs based on a number of factors, including the associated rules and category thresholds. For a full explanation of this, see How Rules Affect Categorization. After the rules have been processed against a resource, potential categorizations result. However, before a category can be applied, the settings on the category must be considered. If there is more than one potential categorization within a taxonomy, the following may occur:
- If there are no categories set to mutually exclusive, all potential categories will be applied
- If all potential categorizations share the same parent, and that parent is mutually exclusive, only one potential category will be applied. The category that will “win” is the one with the highest combined rule score. This means that if you are planning a mutually exclusive taxonomy or branch of a taxonomy, it is important that you ensure the relative weighting of all subcategories makes sense for your needs. For more information, see How Rules Affect Categorization and Advanced Rule Applications
- If some of the potential categorizations share the same parent and others do not, more than one category from the taxonomy may be applied, but the mutual exclusive settings of each branch will be respected. For example, the system may have to assign only one of the potential categories within a mutually exclusive branch, but be able to assign other categories within the taxonomy where mutual exclusivity has not been set.
- If strictly ordered has been applied to a parent category, only one potential subcategory can be applied. In this case, however, instead of using combined rule scores to determine what category, the category closest to the parent on the tree will “win”.
The following diagram shows the difference between mutually exclusive and strictly ordered:
 |
Inheritance does not directly affect categorization; however it is important to understand how inherited categories are applied when evaluating why particular categorizations were made. Inheritance refers to categorizations that are inherited from a parent container. For example, a folder can be manually categorized, and all documents in the folder inherit that categorization. The following can occur with inherited categories on the child resources:
- If no other categorization exists on a resource, the inherited category remains, and is identified as such in all views.
- If a resource is subsequently manually or automatically categorized, and only one potential category from the same taxonomy can be applied due to mutual exclusivity settings, the new category does not override the inherited one, the inherited category remains associated with the resource.
- If a resource is subsequently manually or automatically categorized, and both the new and inherited categories from the same taxonomy can exist without violating any mutual exclusivity settings, both are associated with the resource.
- Inheritance only works on resources that are regularly scanned for classification. If you manually categorize a container that you own that is not scanned, child resources do not inherit the categorization unless they are scanned at some point.