Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2.1 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Administering Data Governance Edition

Data Governance Edition overview

Control over your organization’s data is vital to eliminating issues such as security breaches, loss of sensitive information, or non-compliance with external and internal guidelines. Data Governance Edition provides a systematic approach to managing data access, preserving data integrity, and providing content owners with the tools and workflows to manage their own data resources, removing reliance on IT administrators.

Ultimately, you need a process in place that allows you to:

  • Ensure that your business runs efficiently with access to correct information on demand.
  • Understand the access levels, patterns, and usage to build and maintain a governance strategy.
  • Comply with organizational security and compliance policies.
  • Bring accountability to contain damage.
  • Review the usage patterns of sensitive information.
  • Identify and assign business owners.
  • Enable attestations from business owners to the validity of the data and its use.

The governance of unstructured data is accomplished through workflows that cross both the Manager and the web portal. The following diagram identifies the key processes in securing and controlling access to your organization’s data.

Figure 1: Data Governance Edition key processes

 

Data Governance Edition users

Data Governance Edition is designed to serve the needs of different users.

Table 38: Typical users and associated tasks
User Tasks

Business Owner

  • Resource owner.
  • Uses the web portal.
  • Reviews the resource security and usage; approves or denies requests for resource access; requests access on behalf of others, such as a new employee; and validates the security on resources.
  • Can view and assign a classification level to their owned resources.
  • Attests to the authorizations specified for the resources they own. A business owner who is also a department manager, performs access attestations for their department employees.

Business owners are automatically assigned to the Data Governance | Direct Owners application role when they are assigned as the business owner of a resource. They must also be assigned to the Request & Fulfillment | IT Shop | Product Owners application role or an application role under the Product Owners role to approve IT Shop requests.

For more information on how to perform the business owner tasks, see Managing governed resources using the web portal

Compliance Officer\Security Officer

  • Responsible for ensuring policies are created and are being enforced in the company.
  • Creates "Governance Programs", including all the required policies and workflows.
  • Verifies the state and progress of governance programs.
  • Oversees the activities of IT security personnel.

This user must be assigned the Identity & Access Governance | Compliance & Security Officer application role.

For more information, see Application roles.

Data Governance Administrator

  • Maintains and edits resource security using the Manager.
  • Facilitates business owner and auditor requests.
  • Performs ad-hoc investigations of the rights of users and groups.
  • Configures and deploys Data Governance Edition.
  • Sets the resource owner and business owner.
  • Defines classification levels for use in classifying governed resources.
  • Maintains Data Governance Edition.
  • Delegates access to Data Governance Edition.
  • Implements the workflow defined by security officers, business owners, and others who need to consume the services of Data Governance Edition.
  • Assigns the server and share root path to be used for creating file system shares requested through the IT Shop. Also, defines the group naming pattern to be used to create the Active Directory groups for the new share.

This user must be assigned the Data Governance | Administrators application role. They must also be assigned to the Request & Fulfillment | IT Shop | Product Owners application role or an application role under the Product Owners role to approve IT Shop requests.

For more information, see Application roles.

Employee\End-User\Resource Consumer\Knowledge Worker

  • Uses the web portal.
  • Makes IT Shop requests to gain access to resources.
  • Makes IT Shop requests to create file system shares.

All active employees are automatically members of the Identity & Access Lifestyle shop and can therefore make self-service requests.

Employee manager

  • Uses the web portal.
  • Approves or denies requests for creating file system shares.

Employee managers must be assigned the Request & Fulfillment | IT Shop | Product Owners application role or an application role under the Product Owners role to approve IT Shop requests.

Architecture

Data Governance Edition consists of the following components:

  • Data Governance server: The server acts as an intermediary between the agents and the databases where information is stored. It coordinates all agent deployments and communication, and manages the security index for each managed host.

    The server is the central authority that receives and indexes information from agents deployed on target computers. It only maintains a subset of information for the computers that are being indexed (essentially access to specific resource types on managed computers). When you request detailed access information, the server attempts to contact the local agent and provide information stored in the local agent index.

  • Data Governance agents: Agents collect security data from your managed hosts, and if configured, can also collect resource activity data. The agent cache stores all the detailed indexed information.
  • Databases: The One Identity Manager database stores configuration and security information. The Data Governance Resource Activity database stores resource activity information.
  • Managed hosts: A managed host is any network object that can host resources and can be assigned an agent to monitor security and resource activity. Managed hosts store the data on which users perform actions. Currently supported managed hosts include Windows computers, Windows clusters, certain network attached storage (NAS) devices, SharePoint farms and certain cloud providers, including SharePoint Online and OneDrive for Business. See the One Identity Manager Data Governance Edition Deployment Guide for a complete list of supported platforms.

For more information about component communications and how communication is encrypted, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Figure 2: Data Governance Edition architecture

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating