Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Select objects dialog

The Select objects dialog is used throughout the Data Governance Edition solution allowing you to locate and select the appropriate objects for a given process.

This dialog contains the following controls:

Table 65: Select object dialog: Controls
Control Description
Select this object type This field is pre-populated with the appropriate object type(s) based on the task that launched the dialog.
Object Types Click the Object Types button to change the types of objects to be searched. Clicking this button displays a list of object types from which you can select from.
From this location This field is pre-populated with the local domain to be searched.
Locations Click the Locations button to change the location to be searched. Clicking this button displays a list of reference domains from which you can select from.
Enter the object names to select Enter the name or partial name of the object to be located.
Check names

After entering the object name, click the Check names button to search for the specified objects.

Object list

If a single object is found that matches the object name (or partial name), it appears in the objects list.

If multiple objects are found that match the object name (or partial name), the Multiple Names Found dialog appears, allowing you to select one or more objects from the list. Click OK to save your selection and close the dialog. The objects selected now appear in the object list.

To remove an object from this list, right-click an object and select Remove.

Advanced Use the Advanced button to specify a more advanced query for locating an object. Clicking this button displays the Select Users, Computers or Groups dialog to specify the query to be used to locate the object.
Import Use the Import button to import a previously exported QAM Account list (*.qamtl file).
Export Use the Export button to export the currently displayed list of objects to a QAM Account list (*.qamtl file).

Bringing data under governance

Controlling access to data is vital to eliminating issues such as security breaches, loss of sensitive information, or non-compliance with external and internal guidelines. You need a process that enables you to:

  • Assign business owners.

    Assigning the business owner for a resource to establish the custodian for data should be done with care. This employee can be identified through various reports. For more information, see Managing business ownership for a resource.

    Note: The assignment of a business owner is an essential component of data governance as this role is inherently part of the compliance workflows. You do not need to assign an owner when you place a resource under governance; however, you cannot assign an owner unless the resource is governed.

  • Publish resources to the IT Shop.

    Resource access requests are performed within the web portal for resources located in the IT Shop. For more information, see Publishing resources to the IT Shop.. Requests follow a predefined approval process where the control over whether the request is approved or denied is made by the assigned business owner and group owners.

  • Create policies that allow you to set rules and guidelines surrounding data to ensure its safety, reliability, and accountability.

    Policies and violations can help to identify resources that need to be placed under governance.

    For a list of the governed data company policies provided with Data Governance Edition, see Appendix: Governed data company policies

  • Establish a data access approval and attestation process to ensure the data stays in a managed state.

    Attestation reviews ensure that the business has a clear statement of an employee’s data access and ensure that access to NTFS and SharePoint data is correct.

    The attestation process places responsibility for the attestation review with the data or business owner as they have the best knowledge of the data and its intended use.

    For a list of the governed data attestation policies provided with Data Governance Edition, see Appendix: Governed data attestation policies

Related Topics

What is "Governed Data"?

Placing a resource under governance

Governed data view

Removing resources from governance

Managing resources under governance

Publishing resources to the IT Shop

Managing business ownership for a resource

Calculating perceived owner

Establishing compliance policies

What is “Governed Data”?

What is "Governed Data"?

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data. The workflows cross the Manager and the web portal.

Through the Manager, you can:

  • Place resources (folders or shares) under governance.
  • Publish resources (folders or shares) to the IT Shop, thereby enabling self-service requests that provide compliance checks.

    Note: Publishing resources to the IT Shop is not available for resources on NFS or Cloud managed hosts.

  • Identify and assign the business owner for data.
  • Create access policies to ensure a system of least privileges

Through the web portal, users have access to:

  • IT Shop self-service access requests.
  • Access certification processes that ensure proper allocations of resources.
  • Policy enforcement systems.
  • Views, dashboards and reports that enable business owners to see the access employees have to all the resources they own and the resource activity on those resources.

Data is considered “governed” when one of the following actions has occurred:

Once data is "governed", the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

The Data Governance server also periodically retrieves resource activity summary and security information which is used to calculate perceived ownership suggestions for data under governance. The activity summary information is used for populating various dashboards and views in the web portal and the perceived ownership data is used for reports.

Note: If you are using an Oracle database, you can configure bulk inserts of governed data security information to improve performance. To do this, add or modify the following setting to the DataGovernanceEdition.Service.exe.config file (located in the Data Governance server installation directory):

<add key="OracleBulkImportBatchSize" value="500"/>

Value: The number of records to be imported at a time during a bulk import. The default is 500 records.

Placing a resource under governance

Identifying data to be governed is continuously adaptive in nature. Those responsible for identifying the data may include the business owner, the administrator, the compliance officer, and managers.

Consider the following when making your selection:

  • Monitor "Top Active Content" and "Top Active Users" reports and views in the web portal to locate content that is potentially valuable to the organization.
  • Identify enterprise applications that provide the ability to export sensitive information in an unencrypted format.
  • Identify content with several access points. For example, if content is available to "Everyone", "All Sales", or "All Employees" you would assume that it is meant for public consumption. However, there is the chance that a sensitive file may be placed in the public area either in error or through malicious intent. It is important to assign a "high risk" index to content with wide access points and bring them under control.
  • Identify groups with many members and investigate their data access. Sensitive information could be inadvertently available to people through their group memberships.
  • Talk to business owners. They are stakeholders in making the data governance process successful. Understand how they create content and the repositories they use — SharePoint or file servers. They can provide information about the importance of content that is created by the different "roles" in their department or organization. This can identify shares and folders that must be governed and important groups or roles from their perspective.
  • Identify trends in "Resource Access Requests" in the web portal IT Shop. If there is an increase in requesting access to a share or a specific SharePoint folder — maybe the resource is a candidate to be watched for activity.

NOTE: For all managed host types, when placing a resource under governance, the resource must be a managed path or a folder or share under a managed path.

  • For remote managed hosts, if you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. If the managed host has more than one agent assigned, you are prompted to select which agent to add the managed path to.
  • For local managed hosts, if you are scanning managed paths (that is, there are paths in the managed paths list), and you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. However, if you are scanning the entire server (that is, the managed paths list is empty) and you place a resource under governance, no changes are made to the managed paths list and you continue to scan the entire server.

Note: On a per host basis, ensure to complete all tasks (such as adding managed paths and placing resources under governance) in the same manner — either at the share or folder level.

NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.

To place a resource under governance

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. Double-click through the resources to locate the required resource (folder or share).
  4. Select the required resource (folder or share) and select Place resource under governance from the Tasks view or right-click menu.
  5. On the Place resource under governance dialog, confirm the display name and click Govern Resources.

    When placing a share under governance, you can use the backing folder security or share permissions for self-service resource access requests in the web portal. The Use backing folder security for self-service option is selected by default and uses the backing folder security for the share. Clear this option to use the share permissions for the share.

    When placing a DFS link under governance, select the type of security to be used:

    • Use Folder Security: This option is selected by default and uses the backing folder security for self-service resource access requests to this governed resource.
    • Use Share Security: Select this option to use the share permissions for self-service resource access requests to this governed resource.
    • Use DFS Security: Select this option to use the DFS access-based enumeration security for self-service resource access requests to this governed resource.

Back in the Resource browser, "True" now appears in the Governed Resource column. The governed resource is also added to the Governed data view.

Related Topics

Removing resources from governance

Related Documents