Assigning a business owner for a resource enables you to establish the custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. The owner can be an individual employee or all employees in an application role. They should be able to answer important questions such as whether people who have access to it should, whether it is still relevant, and whether it should be deleted or archived.
The business owner is also the first in line to approve or deny IT Shop requests for resource access.
|
Note: You do not need to assign an owner when you place a resource under governance; however, you cannot assign an owner unless the resource is governed. |
|
Note: Business ownership is not the same as resource ownership, which is a property of the security configuration of the resource. |
The goal of establishing and assigning ownership is to prevent unauthorized access to data and to be secure in the knowledge of who has access to what within your organization. Once assigned, the business owner grants access, not IT.
Because the business owner is an integral component in the securing of data through access requests and attestations, it is important to schedule a "business owner attestation" to periodically confirm the governed data ownership.
Data Governance Edition can suggest appropriate owners for the data based on usage and access through both reports and through a calculation performed in the Manager.
Using the web portal, the Data Governance Administrator can view a list of resources without an owner assigned and assign ownership. In addition, as a business owner, you can reject ownership of a governed resource. For more information, see Managing governed resources using the web portal.
To assign ownership for previously governed resources
In the Manager, open the Governed data view.
Select the Business Owner tab to apply an owner for the resource.
From here, you can select to apply an owner based on an existing application role or to a specific user, enter the reason why the resource requires an owner, and view when the ownership was set and by whom.
To set a business owner on multiple resources
|
Note: This procedure can also be used as an alternate method of assigning a business owner to a single governed resource. |
In the Manager, open the Governed data view.
On the Set Business Owner page, select to assign either an application role or an employee as the owner, and enter a justification for the ownership.
|
Note: If all of the selected resources already have the same business owner set, the employee or application role field will display the current owner assignment. |
In the Manager, open the Governed data view.
Click the Save tool bar button to save your selection.
The account is removed as the owner for that resource.
The perceived owners for data is calculated from resource activity history and security information collected by Data Governance Edition.
By default, Data Governance Edition uses resource activity history as the primary source and only uses the security information to provide additional perceived ownership suggestions for the resource if the resource activity calculation returns less than two results. By default, the calculation is based on activity recorded for the last 30 days to determine perceived owners. You can, however, change the primary source, maximum number of results to be returned, and activity period used to determine perceived owners using the following server configuration settings:
For more information on these configuration settings, see the One Identity Manager Data Governance Edition Technical Insight Guide.
When resource activity history is available for a resource, the following is considered in the perceived owner calculation:
Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database. Once all the activity records for the time span in question are gathered, a weight is assigned to each different type of activity. The default calculation assumes that it is more likely that the data owner would create, edit, delete, and change security rather than just read the data, so a heavier weight has been assigned to these change operations. By default, the heaviest weight has been given to change security and a lighter weight to read.
The total weight for all operations is summed for each account, and the accounts with the highest total weight are presented as the calculated perceived owner for the data. If the selected resource is a folder, the activity on all child objects is collated for the resultant weights.
When the perceived owner calculations are based on activity data, the following resource activity collection settings can affect the calculation:
The biggest group of settings to affect the perceived owner calculation are the weight multipliers for the different types of actions of resource activity collected by Data Governance Edition. They are responsible for weighting the various activities so that (for example) a user performing a security change operation is more likely to be an owner of a particular resource than another user who has just read that resource. For information on modifying these weight multipliers, see Activity weight multipliers in the One Identity Manager Data Governance Edition Technical Insight Guide.
When using security information to calculate perceived ownership, Data Governance Edition considers the following:
Data Governance Edition then looks for trustees with 'write' access.
|
Note: Each host type uses slightly different permissions:
|
Data Governance Edition filters out built-in accounts from the perceived owner calculation.
|
Note: For Cloud manage hosts, Data Governance Edition does not filter out Cloud built-in accounts. |
During any of these steps, when Data Governance Edition finds the top perceived ownership suggestions, the process stops looking and returns the results.
To determine perceived owners through the Manager
The calculation is performed to determine the perceived owners.
The Perceived Business Owners dialog appears showing the results of the calculation.
To assign an owner based on the perceived owner calculation, select the account from the list and click the Set Owner button.
|
NOTE: An account is only eligible to be set as an owner if they have an associated One Identity Manager Employee.
|
The Perceived Business Owner dialog re-appears where the Current Business Owner field is now showing the newly selected owner.
Maintaining consistent access policies to data ensures that a system of least privileges is in place. Through the Manager you can manage company policies and assess the risk involved. Policies can be assigned to compliance frameworks and groups for categorization; they can have accountable and exception approvers, a risk index, and assigned mitigating controls for risk reduction.
Policies can be customized to meet your specific requirements. For example, you can create a company policy such as “Users should not have direct access to NTFS resources” to ensure that access has been granted only through group membership; or you can enable a predefined policy such as “Full access not granted on governed data for the predefined group "Everyone" to ensure that the built-in Active Directory group "Everyone" does not have "Full Control" to data under governance.
Assuming the appropriate data is stored in the database, One Identity Manager determines all the company resources that violate these company policies. Adherence to company policies is checked regularly using scheduled tasks and notification of policy violations are displayed in the web portal.
Regular testing of company policies is managed through schedules. A "default schedule" is assigned to every new company policy. You can customize the supplied schedule to meet your requirements or set up your own schedules and assign them to the company policies.
Processing tasks are created for the DB-Scheduler to test the validity of a company policy. The DB-Scheduler identifies the employees who satisfy company policy and the employees who are in violation of company policy. The specified company policy approvers can test policy violations and if necessary grant exception approval.
For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.
|
Note: Before a resource can be used in the creation of policies, it must be placed under governance. For more information, see Placing a resource under governance. |
To create a policy
On the policy's General properties page, enter all the required information for the policy.
All other fields and options are optional.
The company policy is not added to the database until the working copy is enabled. The working copy remains and can be used for making changes to the company policy later.
Appendix: Governed data company policies
Classification helps you and the security professionals in your organization understand the contents of your unstructured data, thereby ensuring that sensitive assets are properly secured.
More specifically, the Classification feature in Data Governance Edition provides:
Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. For more information, see Defining classification levels.
The following application roles are used for Classification functionality. They are to be used in conjunction with other One Identity Manager roles. For more information, see Application roles.
User | Tasks |
---|---|
Data Governance Administrator |
Employees assigned this role are responsible for the management and maintenance of the Data Governance Edition deployment including Classification. Members of this role can:
This user must be assigned the Data Governance\Administrators application role. |
Business Owner |
Employees assigned this role are responsible, through the web portal, for managing and attesting to the classification of resources that they own. Members of this role can:
Business owners must be assigned to the Data Governance\Direct Owner application role, which is automatically assigned when the business ownership is set. |
Defining classification levels
Classifying governed resources
Viewing and assigning classification level to owned resources
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy