Classification management
Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. Once defined, you can use these classification levels to classify governed resources.
The following commands are available to manage the classification levels used in your Data Governance Edition deployment and to assign a classification level to a governed resource.
|
Use this command |
If you want to |
|---|---|
|
Add-QClassificationLevel |
Define a new classification level for use in your Data Governance Edition deployment. |
|
Get-QClassificationLevelConfiguration |
Retrieve details about the classification levels configured in your Data Governance Edition deployment. |
|
Get-QDataUnderGovernanceByClassificationLevel |
Retrieve a list of governed resources assigned a specific classification level. |
|
Remove-QClassificationLevel |
Remove a classification level from your Data Governance Edition deployment. |
|
Set-QClassificationLevel |
Update an existing classification level in your Data Governance Edition deployment. |
|
Set-QClassificationLevelOnDug |
Assign a classification level to a governed resource. |
Appendix: Governed data attestation policies
One Identity Manager ships with a predefined set of attestation policies for governed data. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Attestation policies | Predefined folder in the Attestation navigation view in the Manager.
Once the schedule is enabled, attestation policies are all enabled by default. You can, however, disable an attestation policy using the Change master data task from the Attestation policy overview in the Manager.
The following attestation policies are available by default for governed data.
| Attestation policy | Predefined approval policy | Description | ||
|---|---|---|---|---|
|
Data Governance: Accounts with direct access attestation |
Attestation of account entitlements by employee manager. |
Notify the employee marked as "responsible" for an account (that is, as a manager or as the person responsible for a particular privileged account), to attest to the entitlements of these "managed" accounts. | ||
|
Data Governance: Groups with direct access attestation |
Attestation of group entitlements by group owner.
|
Group product owner attests single group entitlements granting direct access. | ||
|
Data Governance: Resource ownership attestation |
Attestation by resource owner. |
Resource owner attests ownership of governed resources, thereby approving their ownership. | ||
|
Data Governance: Resource security attestation |
Attestation by resource owner. |
Managed resource owner attests to the security configuration of governed resources, focusing on highest entitlements only. | ||
|
Data Governance: Resource security deviation attestation |
Attestation by resource owner. |
Resource owner attests governed resources with deviations in access security. |
Tips for using governed data attestations:
- Designer: The Base Data | General | Schedules | Attestation check is enabled by default and runs daily at 16:00 PM. You can click the Start button on the Attestation check properties pane to initiate an immediate attestation check.
For more information on the One Identity Manager attestation feature, including how to define attestations, execute attestations and introduce automatic or manual correction measures, see the One Identity Manager Attestation Administration Guide.
Appendix: Governed data company policies
One Identity Manager ships with a predefined set of company policies for governed data which can be enabled. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Policies | Working copies of policies | Predefined folder in the Company Policies navigation view in the Manager.
The predefined governed data policies include:
| Policy | Description | ||
|---|---|---|---|
| Access not granted on governed data for the predefined group "Everyone" |
A policy violation occurs when the built-in Active Directory group "Everyone" has any access assigned.
| ||
| Full access not granted on governed data for the predefined group "Everyone" |
A policy violation occurs when the built-in Active Directory group "Everyone" has any "Full Control" access assigned.
| ||
| Governed data must be assigned to a Classification level | A policy violation occurs when governed data is found that does not have a classification level assigned. | ||
| No governed data with access assigned to accounts other than AD security groups | A policy violation occurs when governed data is found with access assigned to accounts other than Active Directory security groups. | ||
| No governed data with conflicting NTFS permissions for Allow/Deny | A policy violation occurs when governed data is found with conflicting Allow/Deny access assigned. | ||
| No governed data with high risk index (> 0.75) accessible by accounts of external employees | A policy violation occurs when an external employee has access assigned to governed data with a high risk index. |
Tips for using governed data policies:
-
Manager: Working copies of company policies are disabled by default. You can, however, enable these policies using the Enable working copy task from the Change master data view of a policy.
- Manager: After enabling a working copy, you can use the following tasks to 'test' a working copy of a policy:
- Show condition: Displays a list of governed data that is in violation of the selected policy.
- Recalculate policy: Evaluates the selected policy and logs any policy violations that occurred.
- Web portal: As a business owner of the resource, after recalculating a policy, any policy violations appear (Responsibilities | My Responsibilities | Governed Data | Policy violations).
- Designer: The Base Data | General | Schedules | Policy check is enabled by default and runs monthly at 11:00 AM. You can click the Start button on the Policy check properties pane to initiate an immediate policy check.
For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.
Appendix: Governed data risk index functions
One Identity Manager ships with a predefined set of risk index functions used to calculate the risk index for governed data. These predefined risk index functions are available when the Data Governance Edition module is installed and can be found in the Risk index functions | Governed data (QAMDuG) | Properties folder in the Risk Index Functions navigation view in the Manager.
The predefined governed data risk index functions include:
| Risk index function name | Description | Default weighting / Change value |
|---|---|---|
| Attestation of data under governance | Reduces the risk of a governed resource when an attestation policy is enabled. | 0.02 |
| Defined owner for data | Reduces the risk of a governed resource when a business owner has been assigned. | 0.01 |
| Full access for "Everyone" | Increases the risk of a governed resource when "Everyone" is granted full access to the resource. | 0.2 |
| Full access for accounts | Increases the risk of a governed resource when there are accounts other than "Everyone" that is granted full access to the resource. | 0.1 |
| Last access > 30 days | Reduces the risk of a governed resource when the last access date is greater than 30 days. | 0.04 |
| Last access > 60 days | Reduces the risk of a governed resource when the last access date is greater than 60 days. | 0.06 |
| Last access > 90 days | Reduces the risk of a governed resource when the last access date is greater than 90 days. | 0.08 |
| Last access > 180 days | Reduces the risk of a governed resource when the last access date is greater than 180 days. | 0.1 |
| No classification level assigned | Increases the risk of a governed resource when no classification level has been assigned. | 0.1 |
| Policy violation | Increases the risk of a governed resource when a company policy violation occurs. | 0.2 |
| Published to IT Shop | Increase the risk of a governed resource when the resource is published to IT Shop. | 0.1 |
| Read only access | Increases the risk of a governed resource when read-only access is granted. | 0.05 |
| Write access | Increases the risk of a governed resource when read and write access is granted. | 0.1 |
Tips for using governed data risk index functions:
- Designer: The Base Data | General | Schedules | Calculate risk indexes of governed data is disabled by default. Before risk calculations can be performed on governed data, this schedule must be enabled. You can click the Start button on the Calculate risk indexes of governed data properties pane to initiate an immediate risk index calculation.
- Manager: The Data Governance Edition risk index functions are enabled by default. You can, however, disable a risk index function using the Change master data task on the Function overview.
- Web portal: As a business owner, you can see the risk index assigned to owned resources (Responsibilities | My Responsibilities | Governed Data | All my resources).
- Web portal: As a business owner, you can see what functions contributed to the calculated risk index (Responsibilities | My Responsibilities | Governed Data | All my resources | <selected resource> | Risk).
For more information on One Identity Manager's risk assessment feature, see the One Identity Manager Risk Assessment Administration Guide.