Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Defining classification levels

Data Governance Edition ships with predefined classification levels; however, you may need to modify these predefined classification levels to match the classification levels defined for your organization. You can use the Manager or Windows PowerShell to add, edit or delete the classification levels in your Data Governance Edition deployment.

By default, the following Classification levels are defined for you:

  • No Restriction: Information created, received or distributed with the intention of being shared publicly. This includes personal information. Examples: Whitepapers, Approved Technical Documents, Marketing and Sales Brochures, Product launches.
  • Internal Use Only: Information intended for internal use by the organization and its stakeholders. This includes distribution to associates such as consultants, outside counsel, OEMs, and other team members. Examples: Internal Procedures, Policy Documents, Corporate Directory Information, Facility Information, Organizational Chart.
  • Restricted: Information intended for internal use by the organization and its stakeholders that requires a heightened level of control. This may include third-party disclosures such as contract agreements. Examples: Personally Identifiable Information (PII), Customer Data, HR Data, Financial Data, IP Formulas/Algorithms, Product Development Concepts.
  • Critical Handling: Handling requirements are driven by external parties such as customers and regulatory organizations. Examples: U.S. Federal regulatory bodies, Export-Controlled Intellectual Property (IP), Payment Card Industry.

Note: When the Data Governance service first starts up, it writes the default classification level data into the One Identity Manager database. This behavior is controlled by a registry key, HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server\ClassificationLevelDefaultData.

If you delete the default classification levels in your Data Governance Edition deployment and replace them with new classification levels, you must move or set this registry key if you move the Data Governance service to another machine to prevent the reloading of previously deleted default classification levels.

If you modify the default classification levels in your Data Governance Edition deployment, the data is retained if you move the Data Governance service to another machine.

For more information about this registry key, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Adding a classification level

You can use the Manager or Windows PowerShell to define a new classification level in your Data Governance Edition deployment.

To add a new classification level (Manager)

  1. In the Manager, select Data Governance | Classification.

    The Classification view appears listing the current classification levels defined in your Data Governance Edition deployment.

  2. Select the New task or right-click command.

  3. On the Classification Level dialog, enter the following information:
    1. Name: Specify the name to be associated with the new classification level.
    2. Description: Enter descriptive text to be associated with the new classification level.

    Click OK to save the new classification level and close the dialog.

  4. Back on the Classification view, the new classification level appears at the bottom of the list.

    Use the Move up and Move down tasks to define where in the display order the new classification level is to appear.

To add a new classification level (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to define each classification level:

    Add-QClassifictionLevel [-Name] <String> [-Description] <String> [[-SortOrder] [<Int>]]

    • Name: Specify the name to be associated with the new classification level.

    • Description: Enter descriptive text to be associated with the new classification level.

    • SortOrder: (Optional) Specify a value to indicate where in the display order the new classification level is to appear.

      Note: The classification levels are displayed in ascending order based on SortOrder. If no SortOrder value is specified, the classification level will appear at the top of the list.

Editing a classification level

You can use the Manager or Windows PowerShell to edit an existing classification level in your Data Governance Edition deployment.

Note: Any Data Governance Edition customizations (such as attestation or company policies) that use the name of a classification level, will no longer work if you edit the name of the classification level.

To edit a classification level (Manager)

  1. In the Manager, select Data Governance | Classification.

  2. Select the classification level to be modified.
  3. Select the Edit task or right-click command.
  4. On the Classification Level dialog, edit the following information as required:
    1. Name: Specify a different name to be associated with the new classification level.
    2. Description: Edit the descriptive text to be associated with the new classification level.

    Click OK to save your changes and close the dialog.

  5. If necessary, use the Move up and Move down tasks to define where in the display order the classification level is to appear.

To edit a classification level (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to define each classification level:

    Set-QClassificationLevel [-ID] <String> [[-Name] [<String>]] [[-Description] [<String>]] [[-SortOrder] [<Int>]]

    • ID: Specify the Identifier of the classification level to be modified.

      Note: Run the Get-QClassificationLevelConfiguration cmdlet to retrieve a list of configured classification levels, including their assigned identifiers.

    • Name: Specify to change the name associated with the specified classification level.
    • Description: Specify to change the descriptive text to be associated with the specified classification level.
    • SortOrder: Specify to change where in the display order the classification level is to appear.

      Note: The classification levels are displayed in ascending order based on SortOrder.

Removing a classification level

You can use the Manager or Windows PowerShell to remove a classification level from your Data Governance Edition deployment.

TIP: Deleting a classification level will automatically remove it from all associated governed data. Run the Get-QDataUnderGovernanceByClassificationLevel cmdlet to retrieve a list of the resources still assigned to the classification level before running the delete operation.

Note: Any Data Governance Edition customizations (such as attestation or company policies) that use the name of a classification level, will no longer work if you remove the classification level.

To remove a classification level (Manager)

  1. In the Manager, select Data Governance | Classification.
  2. Select the classification level to be removed.
  3. Select the Delete task or right-click command.
  4. Select Yes on the Delete Classification Level confirmation dialog.

To remove a classification level (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to define each classification level:

    Remove-QClassificationLevel [-ID] <String>

    • ID: Specify the identifier assigned to the classification level to be removed.

      Note: Run the Get-QClassificationLevelConfiguration cmdlet to retrieve a list of configured classification levels, including their assigned identifiers.

Related Documents