Introduction
About this Guide
System Requirements
Minimum Required Permissions
Required Ports
Performance Calculations
Deploying Classification in Identity Manager
Classification Overview
Required Components
Component Workflow
Activating Classification
Configuring Classification: Taxonomies, Categories, and Rules
Install the Classification Components
Enable Classification in the Designer
Identify the Classification Service Account
Deploy the Classification Server
Deploy Classification Workers
Enable and Disable Automatic Classification on Specific Managed Hosts
Enabling Categorization on Folders (Security Index Roots)
Managing the File Types to be Classified
Starting Initial Classification
Upgrade an Agent for Classification
Re-classify Data
Classification Application Roles
Troubleshooting the Classification Deployment
An Overview of Classification Configuration
Steps Required to Implement Classification
Creating Taxonomies
Working with Categorized Resources
Working with Taxonomies
Implementing Rules for Automated Categorization
Creating a Taxonomy
Importing and Replacing Taxonomies
Editing a Taxonomy
Deleting a Taxonomy
Exporting Taxonomies
Working with Categories
How Rules Affect Categorization
Managing Rules in the Classification System
Classifying Resources
When Do Categorization and Classification Occur?
Managing the Life Cycle of Taxonomies and Categories
Creating a Rule
Editing a Rule
Associating Rules to Categories and Applying Rule Weights
Deleting a Rule
Advanced Rule Applications
Working with Text Extractors
Identifying Text Extractors used within the System
Creating Text Extractors
Validating the Text Extractor
Editing Text Extractors
Removing Text Extractors
Working with Regular Expression Text Extractors
Working with Dictionary Text Extractors
Managing Public Dictionary Text Extractors
Managing Protected Dictionary Text Extractors
Managing Dictionary Text Extractors with PowerShell
Working with Advanced Text Extractors
Testing and Reviewing Automated Classification
Testing a Rule against a Resource
Testing all Rules Against a Resource
Viewing the Text from a Resource
Determining Why Categorizations Were Applied to a Resource
Viewing Categorized Resources
Making a Category Available to the Classification System
Working with the Categorization of Your Resources
Appendix A: PowerShell Commands
What Categories Can You Apply?
Working With Manually Categorized Resources
Working With Automatically Categorized Resources
Categorization Statistics and Views
Adding the PowerShell Snap-ins
Finding a Taxonomy, Category, or Extractor ID using PowerShell
Deploying the Classification Server and the Classification Worker
Troubleshooting Deployment
Managing Taxonomies
Appendix B: Oracle Configuration
Appendix C: Classifying Data with Data Governance Templates
Available Templates
Appendix D: Creating a Taxonomy to Classify Data
Deploy the Classification Server
The Classification Server can be installed on the same computer where the Data Governance Server is installed. However, for load balancing it is recommended to install the Data Governance and Classification Server on different computers and deploy Classification Workers as required.
 |
The Classification server requires 500 MB of space for installation, 200 MB space for logs, plus an additional 2 GB per 1 million resources for data processing. |
 |
If you are using an Oracle database: You need to create the required tablespaces before installing the Classification server. You must also ensure that the Classification server has the ADO client for Oracle (32bit version of ODP.Net) installed. Supported versions include ODAC 11.2 Release 3 or higher. For details, see Using an Oracle Database for Classification. The database instance where your tablespaces for the Classification databases reside must have AL32UTF8 specified for the default character set, and the national character set must be set to UTF-8. These setting are required by the Classification server. This must be done when the instance is created, before the tablespaces are created and the Classification server is deployed. |
To deploy the Classification Server
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select Configuration.
- Click Deploy to add the Classification server.
A check will be made to ensure that a service account has been identified as the classification service account. - If you are using SQL, specify the database to use by selecting it from the list of available servers, and enter the Content and Topic databases to use and click Next. Select the required authentication method and associated credentials, and click Next.
-OR-
If you are using Oracle, the available database will be listed for you. Enter the Service name, the Username and Password for the Content and Topic databases, and click Next.To locate the Service name, run the following cmd on the Oracle DB server: lsnrctl status.
The Classification server will now be deployed with the specified configuration.If you want to have a custom deployment of Classification Server (for example, using a non-default database server), you will need to use PowerShell (Deploy-QClassificationServer).
Upgrading the Classification Server
To upgrade a Classification Server
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see all the currently deployed Classification Server and Workers. - Click Upgrade.
- Click Next to proceed.
- If you are using SQL, specify the database to use by selecting it from the list of available servers.
-OR-
If you are using Oracle, the available server will be listed for you. - Enter the database credentials and click Next.
- Click Finish.
Existing taxonomies are unaffected by a server upgrade. If you have a custom Classification Server deployment (created with PowerShell and non-default parameters), you will need to use PowerShell (Deploy-QClassificationServer) to upgrade the server.
Removing the Classification Server
To remove a Classification Server
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers. - Click Remove.
- Click Yes to confirm the removal.
Deploy Classification Workers
| |
The Classification worker cannot be installed on a domain controller. |
To add a Classification Worker
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers. - Select Add Classification Worker from the Tasks view.
You can deploy one worker per computer and the computer must be in a managed domain. - Select the computer where you want to add the server, and click Deploy.
- Click Close.
At least one Classification Worker must deployed in the environment. You can add more workers, as required, to improve performance. You can also deploy a worker with the Deploy-QClassificationWorker command.
Removing a Classification Worker
To remove a Classification Worker
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers. - Select the required Classification Worker, and select Remove from the Tasks view.
- Click Yes to remove the Classification Worker from the deployment.
When you remove the worker, the rules engine for classifying data will no longer be processed on this computer.
Upgrading a Classification Worker
To upgrade a Classification Worker
- In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see all the currently deployed workers. If a newer version is available, you will need to perform an upgrade. - Select the desired Classification Workers, and right-click and select Upgrade.
- Click Yes to confirm the upgrade.
- Click Close once the upgrade is complete.
You can also upgrade the worker with the Deploy-QClassificationWorker command.
Enable and Disable Automatic Classification on Specific Managed Hosts
Contents
Data Governance allows for both automatic and manual classification of resources.
Automatic classification refers to the process by which a resource is categorized according to defined rules. This is enabled on a per managed host basis to ensure that target computers containing potentially sensitive data are processed while maintaining a reasonable amount of network traffic.
Manual classification refers to assigning a resource to a given taxonomy and category. This is performed within the Web Portal by the business owner. Manual classification overrides automatic classification.
There may be a time lapse between when the business owner is able to manually classify data in the Web Portal and when the resources marked for automatic classification in the Manager are processed. If the business owner categorizes a resource prior to the processing, they will be able to eventually see the automatic processing results and make adjustments where required within the Web Portal.
For details on managing your classified resources, see Classifying Resources.
Automatic classification can be enabled when you add a managed host to the Data Governance deployment or at a later date.
To enable automatic classification on currently deployed managed hosts
- In the Manager/Identity Manager select the Data Governance navigation view and select Managed hosts.
- Select the required managed host in the Managed host tab, and select Change master data in the Tasks view.
- Select the Classification tab and check Enable automatic classification.
Enabling automatic classification will update the Data Governance agent and install the Classification agent on the managed host.
Enabling Categorization on Folders (Security Index Roots)
Before data can be processed and classified, the folders that contain the data must be specified. This is accomplished through the security index root configuration.
A security index root is the root of an NTFS directory tree to be scanned by an agent, or a point in your SharePoint farm hierarchy below which everything is scanned.
To enable classification on folders and their contents
- In the Manager/Identity Manager select the Data Governance navigation view and select Managed hosts.
- Select a managed host in the Managed host tab, and select Change master data in the Tasks view.
- Select the Security Index Roots tab.
- Select Configure security index roots from the Tasks view.
- Choose the directory to be scanned and the required agent, enable Classification where required, and click OK.