Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Classification management

Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. Once defined, you can use these classification levels to classify governed resources.

The following commands are available to manage the classification levels used in your Data Governance Edition deployment and to assign a classification level to a governed resource. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 85: Group template management commands

Use this command

If you want to

Add-QClassificationLevel

Define a new classification level for use in your Data Governance Edition deployment.

Get-QClassificationLevelConfiguration

Retrieve details about the classification levels configured in your Data Governance Edition deployment.

Get-QDataUnderGovernanceByClassificationLevel

Retrieve a list of governed resources assigned a specific classification level.

Remove-QClassificationLevel

Remove a classification level from your Data Governance Edition deployment.

Set-QClassificationLevel

Update an existing classification level in your Data Governance Edition deployment.

Set-QClassificationLevelOnDug

Assign a classification level to a governed resource.

Governed data attestation policies

One Identity Manager ships with a predefined set of attestation policies for governed data. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Attestation policies | Predefined folder in the Attestation navigation view in the Manager.

Once the schedule is enabled, attestation policies are all enabled by default. You can, however, disable an attestation policy using the Change master data task from the Attestation policy overview in the Manager.

The following attestation policies are available by default for governed data.

Table 86: Governed data attestation policies
Attestation policy Predefined approval policy Description

Data Governance: Accounts with direct access attestation

Attestation of account entitlements by employee manager.

Notify the employee marked as "responsible" for an account (that is, as a manager or as the person responsible for a particular privileged account), to attest to the entitlements of these "managed" accounts.

Data Governance: Groups with direct access attestation

Attestation of group entitlements by group owner.

NOTE: If you have Cloud managed hosts in your Data Governance Edition deployment, change this setting to one of the following:

  • Attestation by target system manager
  • Attestation of group entitlements by selected approvers

Group product owner attests single group entitlements granting direct access.

Data Governance: Resource ownership attestation

Attestation by resource owner.

Resource owner attests ownership of governed resources, thereby approving their ownership.

Data Governance: Resource security attestation

Attestation by resource owner.

Managed resource owner attests to the security configuration of governed resources, focusing on highest entitlements only.

Data Governance: Resource security deviation attestation

Attestation by resource owner.

Resource owner attests governed resources with deviations in access security.

Tips for using governed data attestations:

  • Designer: The Base Data | General | Schedules | Attestation check is enabled by default and runs daily at 16:00 PM. You can click the Start button on the Attestation check properties pane to initiate an immediate attestation check.

For more information on the One Identity Manager attestation feature, including how to define attestations, execute attestations and introduce automatic or manual correction measures, see the One Identity Manager Attestation Administration Guide.

Governed data company policies

One Identity Manager ships with a predefined set of company policies for governed data which can be enabled. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Policies | Working copies of policies | Predefined folder in the Company Policies navigation view in the Manager.

The predefined governed data policies include:

Table 87: Governed data policies
Policy Description
Access not granted on governed data for the predefined group "Everyone"

A policy violation occurs when the built-in Active Directory group "Everyone" has any access assigned.

NOTE: This company policy is not available for Cloud accounts.

Full access not granted on governed data for the predefined group "Everyone"

A policy violation occurs when the built-in Active Directory group "Everyone" has any "Full Control" access assigned.

NOTE: This company policy is not available for Cloud accounts.

Governed data must be assigned to a Classification level A policy violation occurs when governed data is found that does not have a classification level assigned.
No governed data with access assigned to accounts other than AD security groups A policy violation occurs when governed data is found with access assigned to accounts other than Active Directory security groups.
No governed data with conflicting NTFS permissions for Allow/Deny A policy violation occurs when governed data is found with conflicting Allow/Deny access assigned.
No governed data with high risk index (> 0.75) accessible by accounts of external employees A policy violation occurs when an external employee has access assigned to governed data with a high risk index.

Tips for using governed data policies:

  • Manager: Working copies of company policies are disabled by default. You can, however, enable these policies using the Enable working copy task from the Change master data view of a policy.

  • Manager: After enabling a working copy, you can use the following tasks to test a working copy of a policy:
    • Show condition: Displays a list of governed data that is in violation of the selected policy.
    • Recalculate policy: Evaluates the selected policy and logs any policy violations that occurred.
  • Web portal: As a business owner of the resource, after recalculating a policy, any policy violations appear (Responsibilities | My Responsibilities | Governed Data | Policy violations).
  • Designer: The Base Data | General | Schedules | Policy check is enabled by default and runs monthly at 11:00 AM. You can click the Start button on the Policy check properties pane to initiate an immediate policy check.

For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.

Governed data risk index functions

One Identity Manager ships with a predefined set of risk index functions used to calculate the risk index for governed data. These predefined risk index functions are available when the Data Governance Edition module is installed and can be found in the Risk index functions | Governed data (QAMDuG) | Properties folder in the Risk Index Functions navigation view in the Manager.

The predefined governed data risk index functions include:

Table 88: Governed data (QAMDuG) risk index functions
Risk index function name Description Default weighting / Change value
Attestation of data under governance Reduces the risk of a governed resource when an attestation policy is enabled. 0.02
Defined owner for data Reduces the risk of a governed resource when a business owner has been assigned. 0.01
Full access for "Everyone" Increases the risk of a governed resource when "Everyone" is granted full access to the resource. 0.2
Full access for accounts Increases the risk of a governed resource when there are accounts other than "Everyone" that is granted full access to the resource. 0.1
Last access > 30 days Reduces the risk of a governed resource when the last access date is greater than 30 days. 0.04
Last access > 60 days Reduces the risk of a governed resource when the last access date is greater than 60 days. 0.06
Last access > 90 days Reduces the risk of a governed resource when the last access date is greater than 90 days. 0.08
Last access > 180 days Reduces the risk of a governed resource when the last access date is greater than 180 days. 0.1
No classification level assigned Increases the risk of a governed resource when no classification level has been assigned. 0.1
Policy violation Increases the risk of a governed resource when a company policy violation occurs. 0.2
Published to IT Shop Increase the risk of a governed resource when the resource is published to IT Shop. 0.1
Read only access Increases the risk of a governed resource when read-only access is granted. 0.05
Write access Increases the risk of a governed resource when read and write access is granted. 0.1

Tips for using governed data risk index functions:

  • Designer: The Base Data | General | Schedules | Calculate risk indexes of governed data is disabled by default. Before risk calculations can be performed on governed data, this schedule must be enabled. You can click the Start button on the Calculate risk indexes of governed data properties pane to initiate an immediate risk index calculation.
  • Manager: The Data Governance Edition risk index functions are enabled by default. You can, however, disable a risk index function using the Change master data task on the Function overview.
  • Web portal: As a business owner, you can see the risk index assigned to owned resources (Responsibilities | My Responsibilities | Governed Data | All my resources).
  • Web portal: As a business owner, you can see what functions contributed to the calculated risk index (Responsibilities | My Responsibilities | Governed Data | All my resources | <selected resource> | Risk).

For more information on One Identity Manager's risk assessment feature, see the One Identity Manager Risk Assessment Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating