Identity Manager Data Governance Edition 8.0 - User Guide

Managing business ownership for a resource

Assigning a business owner for a resource enables you to establish the custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. The owner can be an individual employee or all employees in an application role. They should be able to answer important questions such as whether people who have access to it should, whether it is still relevant, and whether it should be deleted or archived.

The business owner is also the first in line to approve or deny IT Shop requests for resource access.

The goal of establishing and assigning ownership is to prevent unauthorized access to data and to be secure in the knowledge of who has access to what within your organization. Once assigned, the business owner grants access, not IT.

Because the business owner is an integral component in the securing of data through access requests and attestations, it is important to schedule a "business owner attestation" to periodically confirm the governed data ownership.

Data Governance Edition can suggest appropriate owners for the data based on usage and access through both reports and through a calculation performed in the Manager. For more information, see Perceived owners for data under governance report and Calculating perceived owner.

Using the web portal, the Data Governance Administrator can view a list of resources without an owner assigned and assign ownership. In addition, as a business owner, you can reject ownership of a governed resource. For more information, see Managing governed resources using the web portal.

To assign ownership for previously governed resources

1. In the Manager, open the Governed data view.

   • From the Data Governance navigation view, select Governed data.
   • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
2. Select the governed resource and select Change governed resource master data in the Tasks view or right-click menu.

3. Select the Business Owner tab to apply an owner for the resource.

   From here, you can select to apply an owner based on an existing application role or to a specific user, enter the reason why the resource requires an owner, and view when the ownership was set and by whom.

   • Owner (Application role): Use this field to assign an owner for the resource based on their application role. If you assign an application role, any holder of this role can be responsible for attestations or access requests. If the application role is not listed in the drop-down list, click the add button to the right of this field to add a One Identity Manager application role.
   • Owner (Employee): Use this field to assign an owner for the resource based on an employee name. If you assign an employee as the owner, they are solely responsible for attestations or access requests.
   • Justification: (Optional) Enter the reason for assigning this owner to the resource.
   • Date ownership set: Read-only field that displays the date the owner was last set.
   • Ownership set by: Read-only field that displays the user who set the ownership to its current owner.
   • Requires ownership: (Optional) Select this option to indicate that a resource must be assigned a business owner.
4. Click the Save tool bar button to save your selections.

To set a business owner on multiple resources

1. In the Manager, open the Governed data view.

   • From the Data Governance navigation view, select Governed data.
   • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
2. Select the required resources and select Set business ownership in the Tasks view or right-click menu.

3. On the Set Business Owner page, select to assign either an application role or an employee as the owner, and enter a justification for the ownership.

   Note: If all of the selected resources already have the same business owner set, the employee or application role field will display the current owner assignment.

4. If one or more of the selected resources already have a business owner set, click Yes to confirm that you want to override existing settings.
5. Click Next.
6. Click Finish to exit the wizard.

To revoke ownership

1. In the Manager, open the Governed data view.

   • From the Data Governance navigation view, select Governed data.
   • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
2. Select the required resource and select Change governed resource master data in the Tasks view or right-click menu.
3. Select the Business Owner tab and clear the owner field for the resource.

4. Click the Save tool bar button to save your selection.

   The account is removed as the owner for that resource.

Calculating perceived owner

The perceived owners for data is calculated from resource activity history and security information collected by Data Governance Edition.

By default, Data Governance Edition uses resource activity history as the primary source and only uses the security information to provide additional perceived ownership suggestions for the resource if the resource activity calculation returns less than two results. By default, the calculation is based on activity recorded for the last 30 days to determine perceived owners. You can, however, change the primary source, maximum number of results to be returned, and activity period used to determine perceived owners using the following server configuration settings:

• PerceivedOwnershipByResourceActivity: Indicates the primary source for calculating perceived owners: resource activity history or security information.
• PerceivedOwnershipByResourceOwner: Indicates whether the access control list owner of the target system should be considered as a perceived owner suggestion.
• PerceviedOwnershipMaxReturnValue: Defines the maximum number of perceived ownership suggestions returned as a result of calculating perceived owners for a resource.
• PerceivedOwnershipActivityPeriod: Defines the time period (in days) to look for past resource activity to determine perceived owners.

For more information on these configuration settings, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Using resource activity history to calculate perceived owners

When resource activity history is available for a resource, the following is considered in the perceived owner calculation:

• The account that performed the activity
• The scope of the data on which activity was performed
• The type and frequency of activity (read, write, create, delete, rename, or security change)
• The time span in which the activity took place

Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database. Once all the activity records for the time span in question are gathered, a weight is assigned to each different type of activity. The default calculation assumes that it is more likely that the data owner would create, edit, delete, and change security rather than just read the data, so a heavier weight has been assigned to these change operations. By default, the heaviest weight has been given to change security and a lighter weight to read.

The total weight for all operations is summed for each account, and the accounts with the highest total weight are presented as the calculated perceived owner for the data. If the selected resource is a folder, the activity on all child objects is collated for the resultant weights.

When the perceived owner calculations are based on activity data, the following resource activity collection settings can affect the calculation:

• If an account is excluded from activity collection, that account is never perceived as an owner.
• If a particular resource is excluded through a file extension or a folder exclusion setting, it never has any activity data from which to perceive an owner.
• If the aggregation window is large, changes in perceived owner may take more time to become visible.

The biggest group of settings to affect the perceived owner calculation are the weight multipliers for the different types of actions of resource activity collected by Data Governance Edition. They are responsible for weighting the various activities so that (for example) a user performing a security change operation is more likely to be an owner of a particular resource than another user who has just read that resource. For information on modifying these weight multipliers, see Activity weight multipliers in the One Identity Manager Data Governance Edition Technical Insight Guide.

Using security to calculate perceived owners

When using security information to calculate perceived ownership, Data Governance Edition considers the following:

• Trustee access
  • Data Governance Edition first looks for trustees with Full Control access, as these are considered most likely to be perceived owners.

  • Data Governance Edition then looks for trustees with 'write' access.

    Note: Each host type uses slightly different permissions: Cloud: Writer role NFS: Write NTFS and DFS : Modify SharePoint: Contribute or Design role

• Common managers amongst trustees with access to resource
  • Data Governance Edition then tries to find common managers within the One Identity Manager organizational structure.
• Remaining trustee rights
  • Lastly, Data Governance Edition weighs the remaining rights that trustees have (for example, read, limited access, etc.).
• Built-in accounts

  • Data Governance Edition filters out built-in accounts from the perceived owner calculation.

    Note: For Cloud manage hosts, Data Governance Edition does not filter out Cloud built-in accounts.

During any of these steps, when Data Governance Edition finds the top perceived ownership suggestions, the process stops looking and returns the results.

To determine perceived owners through the Manager

1. In the Navigation view, select Data Governance | Managed hosts.
2. Open the Resource browser using one of the following methods:
   • Double-click the required managed host in the Managed hosts view.
   • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
3. Double-click through the resources to locate the required resource.
4. Select the required resource and select Calculate perceived owners from the Tasks view or right-click menu.

   The calculation is performed to determine the perceived owners.

5. The Perceived Business Owners dialog appears showing the results of the calculation.

   • The Governed Data Information appears when the selected resource is under governance. This section indicates whether the resource is published to the IT Shop and whether it has an assigned business owner.
   • The Account grid displays the perceived ownership suggestions (and the associated Employee) with percentage points based on their level of activity or security.

6. To assign an owner based on the perceived owner calculation, select the account from the list and click the Set Owner button.

   NOTE: An account is only eligible to be set as an owner if they have an associated One Identity Manager Employee. In order to assign ownership to an NFS Export resource, ensure that an Active Directory employee is assigned to the UNIX account. To assign a One Identity Manager Employee to a UNIX account: In the Manager, select Employees | Employees. Locate and select the employee, right-click and select Tasks | Assign Unix user accounts. In the lower pane, locate and double-click the account to be assigned to the selected employee. In order to assign ownership to a cloud resource, ensure that an Active Directory employee is assigned to the SHAREPOINTONLINE or ONEDRIVEBUSINESS account. To assign a One Identity Manager Employee to a cloud account: In the Manager, select Employees | Employees. Locate and select the employee, right-click and select Tasks | Assign user accounts. NOTE: If you have the CSM module installed, you will see an additional task, Assign cloud user accounts. Do NOT use this new task, you must select your Data Governance Edition cloud user account from the Assign user accounts task. In the lower pane, locate and double-click the account to be assigned to the selected employee.

   The Perceived Business Owner dialog re-appears where the Current Business Owner field is now showing the newly selected owner.

7. Click Close to save your selection and close the dialog.

Establishing compliance policies

Maintaining consistent access policies to data ensures that a system of least privileges is in place. Through the Manager you can manage company policies and assess the risk involved. Policies can be assigned to compliance frameworks and groups for categorization; they can have accountable and exception approvers, a risk index, and assigned mitigating controls for risk reduction.

Policies can be customized to meet your specific requirements. For example, you can create a company policy such as “Users should not have direct access to NTFS resources” to ensure that access has been granted only through group membership; or you can enable a predefined policy such as “Full access not granted on governed data for the predefined group "Everyone" to ensure that the built-in Active Directory group "Everyone" does not have "Full Control" to data under governance.

Assuming the appropriate data is stored in the database, One Identity Manager determines all the company resources that violate these company policies. Adherence to company policies is checked regularly using scheduled tasks and notification of policy violations are displayed in the web portal.

Regular testing of company policies is managed through schedules. A "default schedule" is assigned to every new company policy. You can customize the supplied schedule to meet your requirements or set up your own schedules and assign them to the company policies.

Processing tasks are created for the DB-Scheduler to test the validity of a company policy. The DB-Scheduler identifies the employees who satisfy company policy and the employees who are in violation of company policy. The specified company policy approvers can test policy violations and if necessary grant exception approval.

For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.

To create a policy

1. In the Navigation view, select Company Policies | Policies.
2. In the Result list, click the Create ( ) tool bar button or right-click command and select New to create a new working copy of the policy.

3. On the policy's General properties page, enter all the required information for the policy.

   • Policy: Enter the name for the company policy.
   • Base table: Select the base table for which the company policy is defined.
   • Edit condition: Click the Edit condition button to launch the WHERE clause wizard to define the policy conditions.

   All other fields and options are optional.

4. Click the Save tool bar button to save your policy.
5. In the Tasks view, select Enable working copy.

   The company policy is not added to the database until the working copy is enabled. The working copy remains and can be used for making changes to the company policy later.

Related Topics

Appendix: Governed data company policies

Classifying governed resources

Classification helps you and the security professionals in your organization understand the contents of your unstructured data, thereby ensuring that sensitive assets are properly secured.

More specifically, the Classification feature in Data Governance Edition provides:

• The ability to classify governed resources. For more information, see Classifying governed resources.
• The ability to apply company policies based on classification. For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.

Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. For more information, see Defining classification levels.

The following application roles are used for Classification functionality. They are to be used in conjunction with other One Identity Manager roles. For more information, see Application roles.

Related Topics

Defining classification levels

Classifying governed resources

Viewing and assigning classification level to owned resources