Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2.1 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Perceived owners for data under governance report

Unstructured data can be substantial across an enterprise, so it is important to understand who is responsible for managing that data. This is paramount for data that has been identified as important or sensitive and placed under governance.

Historical resource activity or security information is used to determine the perceived owner and provide guidance on who should be assigned as the business owner for a particular resource. For more information, see Managing business ownership for a resource.

Compliance officers and administrators can run this report against the entire enterprise. The report helps to identify whether data ownership is applied properly. This is a useful report to run when you are first bringing resources under governance to understand the resource activity patterns and starting a data stewardship process.

Use the following parameter to define the contents of the report.

Table 69: Perceived owners for data under governance: Report parameters
Parameter Description
Exclude Resources with Owner Select this check box to exclude resources that already have an owner assigned from the report.

Account access report

Having a clear picture of who can access data within your organization is key in maintaining data governance. This report displays an account’s resource access across all managed hosts within the enterprise and a detailed view of account group membership.

Managers can run this report for any account they manage; Compliance officers and administrators can run it for any account within the enterprise. This report helps to ensure that access has been properly assigned so that employees can perform their day to day duties. The report also identifies how accounts have attained that access and whether the level of access is appropriate.

Note: This report is not available for NFS managed hosts.

Use the following report parameters to define the content of the Account access report.

Table 70: Account access: Report parameters
Parameter Description
Hosts

Specify the managed hosts to be included in the report:

  • All accessible hosts
  • Specific hosts

When the Specific hosts option is selected, select the individual hosts to be included.

Excluded Accounts

(Optional) Select the users, groups, or built-in security principals to be excluded from the report. Use the Add and Delete buttons to populate this exclusion list.

Expand Groups

Specify whether you want to include group members in the report. That is, select the Expand Groups check box if you want to include access granted through group membership in the report.

Resource Types

Select the resource types to be included in the report. By default, all resource types are included.

NOTE: Only resource types that apply to the selected trustee are displayed.

Excluded File Types

(Optional) Specify the file extensions for the types of files to be excluded from the report. Use the buttons on this page to add and remove file extensions from the exclusion list:

  • Export: Exports the current exclusion list to a QAM Extension List (*.qamel) file. Clicking this button displays the Save As dialog allowing you to specify a file name and location for saving the file.
  • Import: Imports the file extensions from a QAM Extension List (*.qamel) file. The QAM Extension List file can be a previously exported file or one that was manually created with the .qamel file extension. Clicking this button displays the Select an import file dialog allowing you to select the file to be imported.
  • Default: Adds the default list to the exclusion list.
  • Remove: Removes the selected file extensions from the exclusion list. You can remove individual extensions or a category, which will remove all of the extensions listed under that category.
  • Add: Adds the specified file extensions to the exclusion list. Clicking this button displays the Add Excluded Extension dialog allowing you to specify the category and extensions to be added to the exclusion list. When entering multiple extensions, separate them with a semi-colon (for example, exe;tmp;log;jpg)
Excluded Folder Names

(Optional) Specify the names of folders to be excluded from the report. Use the buttons on this page to add and remove folders from the exclusion list:

  • Export: Exports the current exclusion list to a QAM Folder List (*.qamtf) file. Clicking this button displays the Save As dialog allowing you to specify a file name and location for saving the file.
  • Import: Imports the folder names from a QAM Folder List (*.qamtf) file. The QAM Folder List file can be a previously exported file or one that was manually created with the .qamtf file extension. Clicking this button displays the Select an import file dialog allowing you to select the file to be imported.
  • Default: Adds the default list to the exclusion list, which includes:
    • %SystemRoot%
    • %ProgramFiles%
    • %ProgramFiles(x86)%
  • Remove: Removes the selected folder names from the exclusion list.
  • Add: Adds the specified folder name to the exclusion list. Clicking this button displays the Specify the folder to exclude dialog allowing you to enter the folder name to be added to the exclusion list.
Data Under Governance Only

Specify whether to include only resources that are under governance in the report. That is, select the Data Under Governance Only check box to include only governed resources in the report.

Account access (employee) report

The Account access (employee) report details an employee's direct and indirect access (through group memberships) to file system or SharePoint resources on the managed hosts. This report returns account access information for all of that Employee's associated identities, eliminating the need to rerun the current Account Access report for each individual identity.

Note: This report is not available for NFS managed hosts.

Use the following report parameters to define the content of the Account access (employee) report.

Table 71: Account access (employee): Report parameters
Parameter Description
Managed hosts Select the managed hosts to be included in the report.
Excluded accounts

Optionally select the users, groups or built-in security principals to be excluded from the report. Use the Add and Delete buttons to populate this exclusion list.

Expand Groups

Specify whether you want to include group members in the report. That is, select the Expand Groups check box if you want to include access granted through group membership in the report.

Resource types

Select the resource types to be included in the report. By default, no resource types are included.

Resource types that can be included are:

  • Cloud\File
  • Cloud\Folder
  • NFS\File
  • NFS\Folder
  • NTFS\File
  • NTFS\Folder
  • Server Identities\Windows Service Identity
  • SharePoint\FarmAdminRight
  • SharePoint\ResourceItem
  • SharePoint\SiteCollectionAdminRight
  • SharePoint\WebAppPolicy
  • Windows Computer\Local User Rights
  • Windows Computer Operating System Administrative Rights
  • Windows Computer\Share
Excluded Extensions Optionally specify the names of folders to be excluded from the report. Use the buttons to the right of this field to add and remove extensions from the exclusion list.
Excluded Folders

Optionally specify the names of folders to be excluded from the report. Use the buttons to the right of this field to add and remove folders from the exclusion list.

NOTE: You can use the %<Folder Name>% format to specify Environment Variables to be excluded from the report. For example, %ProgramFiles%.

Data Under Governance

Specify whether to include only resources that are under governance in the report. That is, select the Data Under Governance check box to include only governed resources in the report.

Resource access report

This report identifies the accounts that have access to specific resources within your environment. This can help you meet your compliance and audit goals by ensuring only authorized users can access the specific resources.

Note: The resource browser and resource access reports do not display the limited access users or "previewer" accounts for resources on Cloud managed hosts.

When you run the report, you can select specific resources and isolate specific types of permission, such as modify, full control, read, and execute. The report includes subfolders and files of the identified resources if the security differs from the parent (for example, if inheritance is overridden or blocked).

Business owners can run this report on resources they own; Compliance officers and administrators can run this report for all resources within the enterprise.

This report helps to identify data with several access points that should be monitored and potentially governed. Content that is available to “Everyone” or “All Sales” for example, can pose a high risk of having a sensitive file placed within it either in error or with malicious intent.

Use the following report parameters to define the content of the Resource access report.

Table 72: Resource access: Report parameters
Parameter Description
Display Options

Specify whether you want to include child resources or access granted through group membership in the report.

  • Child Resources: Select the Access Deviations: Block Inheritance or Explicate Access check box to include child resources whose access differs from the selected resource.

    NOTE: In the web portal, this is the Include Child Deviations check box, which is selected by default.

  • Groups: Select the Expand Groups check box to include all group members who have access to the resource.
  • Permissions Options: Select the Use Folder Permissions check box to include folder permissions on EMC and NetApp shares.

    NOTE: This parameter only applies to EMC and NetApp managed hosts.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating