Deploying a Taxonomy
Before you begin deploying a taxonomy that is intended for use by business owners to help secure your unstructured data, you should have a workflow in place for managing updates. Once a category is in production, changes should be handled carefully, so as not to unnecessarily disrupt the business owner’s interaction with the system, and to continually ensure that actual categorizations and resulting work flows in your organization are reflective of your needs.
 |
It is possible that modifying categories, rules and text extractors in the production environment can have unintended results. Increased policy violations, changes to categorizations on owned resources, and more required attestations can occur. Reports may be inaccurate and business owners may end up spending time dealing with the unexpected results of a change. |
When you make changes to the production environment, all scanned resources are subject to the change. Although you can make changes in the production environment, it is not recommended. Instead, you should maintain a separate Data Governance server with test copies of your taxonomies.
There are a number of things that you may need to modify over time, and each has its own considerations.
| Modification | Consideration |
| Adding a taxonomy or category | New categories should be fully tested before you bring them online, and monitored closely once categorization begins. See Creating a Taxonomy and Creating a Category. |
| Modifying a category: changing its properties or adding/removing rules | Significant changes to categorizations can result from what might seem like a simple change. See Editing Category Settings for details on the impact of changing properties, and Associating Rules to Categories and Applying Rule Weights. |
| Removing a category | You should only delete categories once you have ensured that the category is not referenced elsewhere in the system. If desired, you can unpublish a category. Business owners will not see any categorizations using this category, and no new categorizations can be made using it. Existing categorizations can be viewed by classification analysts only. Once a category has been published, it is not recommended that you unpublish a category to do further development work on it, as this will likely cause confusion for business owners when categorizations are not shown. Once a category is unpublished, you should either leave it that way or delete it. Instead, use your test environment for category development. |
| Modifying or removing a rule | Rules can be shared across multiple categories, spanning more than one taxonomy. Because of this, a change to a rule can have a wide reaching impact on categorization. It is important to test changes on all impacted categories before implementing the rule change on a production taxonomy. For more information see Implementing Rules for Automated Categorization. |
| Modifying a text extractor | Text extractors can be shared across multiple rules, which can affect multiple categories and taxonomies. Because of this, a change to a text extractor can have a wide reaching impact on categorization. It is important to test changes on all impacted categories before implementing the text extractor change on a production taxonomy. For more information, see Working with Text Extractors. |
Modifying a Production Taxonomy
Categorization using Quest One Identity Manager is intended to help you identify risks posed by the contents of your unstructured data. Using categorization, you gain information about the content of your data and the risks it poses, and then using policies, you can control access to resources based on content or risk. Attestations add more security by validating that the categorizations are correct.
Because of the interplay of categorizations, risk and policies, it is important to only deploy changes you want business owners to see. Any change to a category can change a business owner’s categorizations, which could lead to confusion or unnecessary manual overrides during the time you are testing your changes. For this reason, you should avoid making changes to categories that are visible to business owners. Instead, set up a test environment with its own Data Governance server.
By maintaining a separate test environment, you can predict the results of your changes across your environment, and test right through to the policy level. You can scan a set of carefully built test resources, and/or scan documents in the live environment and see the full categorization results. Business owners and other users will not have access to your environment, so you can comfortably make and test changes.
When you use a test environment, you will need some way of ensuring that all elements of the production system are present in the test environment. The simplest way to do this is using a taxonomy export and import system. At any given time, your test environment may have more under development than you want to deploy, so you may need to modify the exported XML manually before importing it to your production environment.
Here is a sample workflow you could use in this scenario:
| Step | Description |
| If necessary, ensure your test environment is up to date by exporting your production taxonomy to your test environment. | See Exporting Taxonomies for details. This step is only necessary if changes have been made in the production environment, which is not recommended. You should export all taxonomies to ensure that all shared elements can be properly tested. If your test taxonomy contains new categories that have not yet been deployed, they will not be overwritten. |
| Make changes in the test environment as required. | See Working with Taxonomies, Working with Categories, Managing Rules in the Classification System and Advanced Rule Applications. |
| Test your changes, taking into account all affected categories. | See Testing and Reviewing Automated Classification for details on the tools available to you for testing. |
| For extra protection, unpublish all new categories in the test environment. This allows you to turn them on in the production environment when you are ready, not immediately on importing the changes. | See Making a Category Available to the Classification System for more details. |
| Trim your template XML file. | You may have elements under development, such as a new category or modified rule, that you would prefer not to import into the production environment. You can manually trim this from the template XML file before importing it. |
| Import affected taxonomies into the production environment. | Importing includes rules and entities. This will fully update your production environment. If you chose to unpublish categories before exporting, you can publish categories as you are ready to bring them online. All changes will now be live in the system, and categorization will begin with the next scanned document. |
| To ensure that your changes have the expected behavior, you should monitor the new categorizations carefully. | For more information, see: Determining Why Categorizations Were Applied to a Resource, Viewing Categorized Resources and When Do Categorization and Classification Occur?. |
Working with Categorized Resources
Working with the Categorization of Your Resources
Contents
Categorization helps you and the security professionals in your organization understand the contents of your documents. Categories are organized into logical trees called taxonomies. Your organization will implement taxonomies that are suited to your business needs.
Using this information can help ensure that sensitive documents are properly secured. For example, policies may be created that define who can have access to a resource with a particular category applied, helping prevent inappropriate access.
If you are a classification analyst or compliance officer, you may want to review in detail the categorizations on a particular resource. This can help you understand the quality of your system, and gain insight into how business owners are interacting with it.
When you look at your resources, you can see how they are categorized. The current categorization determines your options for managing your resources.
- Working With Manually Categorized Resources
- Working With Automatically Categorized Resources
To view the current categorization on a resource
- Select My Business Ownerships | File System Resources.
-OR-
Select My Business Ownerships | SharePoint Resources. - If necessary, select All my resources.
- Click the resource, and then select Categorization.
All categories currently assigned to the resource are shown. It is helpful to group by taxonomy to get a better understanding of the categories. Drag the Taxonomy column header to the row above the table.