Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2.1 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Remove groups dialog

Use the Remove groups dialog to select the groups to be included in a remove simulation. This dialog appears when you click the Select Groups button at the top of the Account Simulation view when performing a remove from groups simulation.

This dialog contains the following controls:

Table 60: Select groups dialogs: Controls
Control Description
Groups list Once groups have been selected, this list displays the groups to be included in the simulation.

Browse Groups

Click the Browse Groups button to display the Select User or Group dialog to locate and select the groups to be included in the simulation.

Simulate

After selecting the groups to be used in the simulation, click the Simulate button to initiate the simulation process.

Cancel

Click the Cancel button to close the dialog without saving your selections or launching a simulation.

Bringing data under governance

Controlling access to data is vital to eliminating issues such as security breaches, loss of sensitive information, or non-compliance with external and internal guidelines. You need a process that enables you to:

  • Assign business owners.

    Assigning the business owner for a resource to establish the custodian for data should be done with care. This employee can be identified through various reports. For more information, see Managing business ownership for a resource.

    Note: The assignment of a business owner is an essential component of data governance as this role is inherently part of the compliance workflows. You do not need to assign an owner when you place a resource under governance; however, you cannot assign an owner unless the resource is governed.

  • Publish resources to the IT Shop.

    Resource access requests are performed within the web portal for resources located in the IT Shop. For more information, see Publishing resources to the IT Shop.. Requests follow a predefined approval process where the control over whether the request is approved or denied is made by the assigned business owner and group owners.

  • Create policies that allow you to set rules and guidelines surrounding data to ensure its safety, reliability, and accountability.

    Policies and violations can help to identify resources that need to be placed under governance.

    For a list of the governed data company policies provided with Data Governance Edition, see Governed data company policies

  • Establish a data access approval and attestation process to ensure the data stays in a managed state.

    Attestation reviews ensure that the business has a clear statement of an employee’s data access and ensure that access to NTFS and SharePoint data is correct.

    The attestation process places responsibility for the attestation review with the data or business owner as they have the best knowledge of the data and its intended use.

    For a list of the governed data attestation policies provided with Data Governance Edition, see Governed data attestation policies

Related Topics

What is "Governed Data"?

Placing a resource under governance

Governed data view

Removing resources from governance

Managing resources under governance

Publishing resources to the IT Shop

Managing business ownership for a resource

Calculating perceived owner

Establishing compliance policies

What is "Governed Data"?

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data. The workflows cross the Manager and the web portal.

Through the Manager, you can:

  • Place resources (folders or shares) under governance.
  • Publish resources (folders or shares) to the IT Shop, thereby enabling self-service requests that provide compliance checks.

    Note: Publishing resources to the IT Shop is not available for resources on NFS or Cloud managed hosts.

  • Identify and assign the business owner for data.
  • Create access policies to ensure a system of least privileges

Through the web portal, users have access to:

  • IT Shop self-service access requests.
  • Access certification processes that ensure proper allocations of resources.
  • Policy enforcement systems.
  • Views, dashboards, and reports that enable business owners to see the access employees have to all the resources they own and the resource activity on those resources.

Data is considered “governed” when one of the following actions has occurred:

Once data is "governed", the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

The Data Governance server also periodically retrieves resource activity summary and security information which is used to calculate perceived ownership suggestions for data under governance. The activity summary information is used for populating various dashboards and views in the web portal and the perceived ownership data is used for reports.

Placing a resource under governance

Identifying data to be governed is continuously adaptive in nature. Those responsible for identifying the data may include the business owner, the administrator, the compliance officer, and managers.

Consider the following when making your selection:

  • Monitor "Top Active Content" and "Top Active Users" reports and views in the web portal to locate content that is potentially valuable to the organization.
  • Identify enterprise applications that provide the ability to export sensitive information in an unencrypted format.
  • Identify content with several access points. For example, if content is available to "Everyone", "All Sales", or "All Employees" you would assume that it is meant for public consumption. However, there is the chance that a sensitive file may be placed in the public area either in error or through malicious intent. It is important to assign a "high risk" index to content with wide access points and bring them under control.
  • Identify groups with many members and investigate their data access. Sensitive information could be inadvertently available to people through their group memberships.
  • Talk to business owners. They are stakeholders in making the data governance process successful. Understand how they create content and the repositories they use — SharePoint or file servers. They can provide information about the importance of content that is created by the different "roles" in their department or organization. This can identify shares and folders that must be governed and important groups or roles from their perspective.
  • Identify trends in "Resource Access Requests" in the web portal IT Shop. If there is an increase in requesting access to a share or a specific SharePoint folder — maybe the resource is a candidate to be watched for activity.

NOTE: For all managed host types, when placing a resource under governance, the resource must be a managed path or a folder or share under a managed path.

  • For remote managed hosts and SharePoint managed hosts, if you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. If the managed host has more than one agent assigned, you are prompted to select the agent to which the managed path is added.
  • For local managed hosts, if you are scanning managed paths (that is, there are paths in the managed paths list), and you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. However, if you are scanning the entire server (that is, the managed paths list is empty) and you place a resource under governance, no changes are made to the managed paths list and you continue to scan the entire server.

Note: On a per host basis, ensure to complete all tasks (such as adding managed paths and placing resources under governance) in the same manner — either at the share or folder level.

NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.

To place a resource under governance

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. Double-click through the resources to locate the required resource (folder or share).
  4. Select the required resource (folder or share) and select Place resource under governance from the Tasks view or right-click menu.
  5. In the Place resource under governance dialog, confirm the display name and click Govern Resources.

    When placing a share under governance, you can use the backing folder security or share permissions for self-service resource access requests in the web portal. The Use backing folder security for self-service option is selected by default and uses the backing folder security for the share. Clear this option to use the share permissions for the share.

    When placing a DFS link under governance, select the type of security to be used:

    • Use Folder Security: This option is selected by default and uses the backing folder security for self-service resource access requests to this governed resource. The backing folder should be accessible to the Data Governance service and the Data Governance agent service.
    • Use Share Security: Select this option to use the share permissions for self-service resource access requests to this governed resource.
    • Use DFS Security: Select this option to use the DFS access-based enumeration security for self-service resource access requests to this governed resource.

Back in the Resource browser, "True" now appears in the Governed Resource column. The governed resource is also added to the Governed data view.

Related Topics

Removing resources from governance

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating