Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Classifying governed resouces

Classifying governed resources

Data Governance administrators and business owners can apply a previously defined classification level to governed resources.

  • As a Data Governance administrator, use the Set-QClassificationLevelOnDuG PowerShell cmdlet to classify governed data.
  • As a business owner, use the Classification page in the web portal to classify an owned resource.

To classify governed data (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to assign a classification level to a governed resource:

    Set-QClassificationLevelOnDuG [-DuGId] <String> [-ClassificationLevelId] <String> [[-Justification] [<String>]]

    • DuGId: Specify the identifier assigned to the governed resource to be classified (that is, value assigned to UID_QAMDuG parameter).

      Note: Run the Get-QDataUnderGovernance cmdlet to retrieve a list of governed resources, including their assigned identifiers.

    • ClassificationLevelId: Specify the identifier assigned to the classification level to be assigned (that is, value assigned to UID_QAMClassificationLevelMan parameter).

      Note: Run the Get-QClassificationLevelConfiguration cmdlet to retrieve a list of configured classification levels, including their assigned identifiers.

    • Justification: (Optional) Enter the reason for assigning this classification level.

To classify an owned resource (web portal)

  1. From the menu bar, select Responsibilities | My Responsibilities.
  2. On the My Responsibilities view, select the Governed Data tile.
  3. Open the All my resources tab and select the resource.
  4. Click Classification to display the current classification level assignment.

  5. From this page, you can assign a classification level to the selected resource:

    • Classification level: Select a classification level from the drop-down menu.
    • Description: Read-only field displaying the description of the selected classification level.
    • Justification: (Optional) Enter a reason for assigning this level of classification to the resource.

  6. Click Save. A "Your changes have been saved" message appears at the top of page.

Managing governed resources using the web portal

Data governance provides a systematic approach to managing data access, preserving data integrity, and providing you with the tools and workflows to manage your data resources, without relying on IT administrators. By evaluating resource access, you can identify resources that do not have ownership, assign owners, and assess the overall ownership of your governed data.

 NOTE: The resource activity data is from the QAMPoIActivity table. Therefore, the activity data shown is based on the POI collection frequency and when the activity occurred. That is, every time POI data is collected for governed data, existing activity entries are replaced with the new activity data that is collected.
Table 67: Who uses the web portal to manage governed resources
User Governed resource task
Data Governance Administrator

As a Data Governance Administrator, you can perform the following tasks from the Responsibilities | Governance Administration view:

  • Governed Data Overview: View statistics and additional details about all governed resources:
    • Statistics: View statistics:
      • Top 10 active resources across all governed resources
      • Total number of explicit security deviations
      • Total number of items with blocked security inheritance
    • Resource overview: View governed resources by resource type.
    • Resources with activity: View the resources with the most activity.
    • All resources: View all governed resources in your Data Governance Edition deployment.

    For more information, see Governed Data Overview (Data Governance Administrator).

  • Governed Data Ownership: View all governed data that has no assigned owner and assign ownership.

For more information, see Data Governance Administrator responsibilities.

NOTE: Data Governance Administrators must be assigned the Data Governance\Administrators or the Identity & Access Governance\Compliance & Security Officer application role.
Business owner

As a business owner of a governed resource, you can perform the following tasks against resources for which you are responsible:

Responsibilities | My Responsibilities | Governed Data view:

  • All my resources: View a list of governed resources for which you are responsible.
  • Statistics: View statistics:
    • Resources with and without policies
    • Top 10 active resources you own
    • Top 10 active users of owned resources
    • Owned resources grouped by host
  • Activity: View the most active resources.
  • Resource types: View owned resources by resource type.
  • Policy violations: View owned resources currently affected by company policies.

In addition, for each individual resource, you can drill down to perform the following tasks:

  • Overview: View a graphical representation of a resource with its necessary details.

  • Master data: View the properties of a resource and reject ownership of a resource.

    		 NOTE: Business owners who have both the Data Governance\Administrators and Data Governance\Direct Owners application roles assigned, can modify the properties of a resource.
  • Classification: View classification level assignment and assign a classification level to an owned resource.
  • Recent activity: View the resource's activity over the last seven days (by default).
  • Access: View employees who have access to the resource or who have actually accessed the resource.
  • Access Analysis: Analyze access by organizational structure.
  • Reports: Generate reports for governed resources.
  • Folders: View a list of folders with blocked security inheritance, folders with deviated security indexes, and governed folders contained within the selected share.
  • Risk: View a risk analysis about a resource.
  • Attestation: View attestation cases.
  • Usage: View accounts and groups that have access to the resource and request modifications of access rights.

For more information, see Business owner responsibilities .

NOTE: Business owners must be assigned the Data Governance\Direct Owners application role which is automatically assigned when ownership is set.
Auditor

Auditors can perform the following tasks from the Responsibilities | Auditing view in the web portal:

  • Governed data: View a list of managed hosts and the governed data for a managed host.
  • Active Directory: View the access permissions for an Active Directory resource.
  • Employees: View the group membership of a given employee and detailed access control information for governed data.

For more information, see Auditor responsibilities.

NOTE: Auditors must be assigned the Identity & Access Governance\Auditors application role.
Related Topics

Appendix: Governed data attestation policies

Appendix: Governed data risk index functions

Governed Data Overview (Data Governance Administrator)

The Governed Data Overview view provides information to assist you in governing resources. As a Data Governance Administrator, select Responsibilities | Governance Administration | Governed Data Overview to view statistics for and a list of all governed resources.

NOTE: The statistics displayed on the Statistics page are calculated on an hourly schedule. To change the schedule, edit the hourly schedule defined in the QAM statistics schedule in the Designer (Getting Started | Edit schedules or Base Data | General | Schedules).

In addition: for the security statistics:

  • For the resource activity statistic, ensure the Collect and aggregate events option is enabled on the Resource activity page in the Managed Host Settings dialog. For more information on this resource activity setting, see Resource activity page.
  • For the security statistics, set the CollectPoi.IncludeDeviations configuration setting to true. You can find this configuration setting in the Data Governance service configuration file (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server\DataGovernanceEdition.Server.exe.config). For more information on this configuration setting, see the One Identity Data Governance Edition Technical Insight Guide.

NOTE: The resource activity data is from the QAMPoIActivity table. Therefore, the activity data shown is based on the POI collection frequency and when the activity occurred. That is, every time POI data is collected for governed data, existing activity entries are replaced with the new activity data that is collected.
Table 68: Governed Data Overview
Tabs Description
Statistics

Displays the following statistics for all governed resources:

  • Top 10 active resources across all governed resources
  • Total number of explicit security deviations
  • Total number of items with blocked security inheritance

Clicking Help displays additional details about the statistic:

  • Statistics information: A description of what is contained in the graph and the calculation schedule used to generate it.
  • View source data: The source data used to build the graph.
Resource overview

Displays a list of all governed resources, grouped by resource type. From this view, you can review the following information for each type of resource:

  • Resources (total): Number of resources of this type.
  • Not owned: Number of resources not owned.
  • Owned: Number of resource owned.
  • Percent not owned: Percentage of resources not owned.
  • Unique data owners: Number of resources with unique data owners.

Clicking a resource type displays a list of resources of that type. From this view, you can review the following information for each resource of the selected type:

  • Path
  • Governed data type
  • Owner
  • Risk index (calculated)
  • Requires ownership (Yes or No)

Clicking an individual resource (Path) displays additional detailed about the selected resource. For more information, see Resource's Governed Data view.

Resources with activity

Displays the top 10 most active governed resources in your Data Governance Edition deployment.

All resources

Displays a list of all the governed resources in your Data Governance Edition deployment. It includes the following information:

  • Governed data element name
  • Element type
  • Data container
  • Complete folder path
  • Data owner
  • Risk index

Clicking an individual resource (Governed data element name) from this list displays additional details about the selected resource. For more information, see Resource's Governed Data view.

Governed Data Overview (Business Owner)

The Governed Data Overview view provides information to assist you in governing resources. As a business owner, select Responsibilities | My Responsibilities | Governed Data to view a list of resources for which you are responsible.

 NOTE: The resource activity data is from the QAMPoIActivity table. Therefore, the activity data shown is based on the POI collection frequency and when the activity occurred. That is, every time POI data is collected for governed data, existing activity entries are replaced with the new activity data that is collected.
Table 69: Governed Data Overview
Tabs Description
All my resources

Displays a list of all the governed resources to which you are assigned the business owner. It includes the following information:

  • Path
  • Governed data type
  • Risk index (calculated)

Clicking an individual resource (Path) from this list displays additional details about the selected resource. For more information, see Resource's Governed Data view.

Statistics

Displays a graphical overview of the governed resource you own:

  • Resources with and without policy violations
  • Top 10 active resources you own
  • Top 10 active users of owned resources
  • Owned resources, grouped by host

Clicking Help displays additional details about the statistic:

  • Statistics information: A description of what is contained in the graph and the calculation schedule used to generate it.
  • View source data: The source data used to build the graph.
Activity

Displays the top 10 most active governed resources for which you are responsible.

Resource types

Displays a list of resources for which you are responsible, grouped by resource type. This view displays the resource type and the total number of governed resources of each type.

Clicking a resource type displays a list of owned resources of that type along with the calculated risk index for each resource.

Clicking an individual resource (Path) displays additional detailed about the selected resource. For more information, see Resource's Governed Data view.

Policy violations

Displays a list of resources that are currently in violation of a company policy.

Clicking an individual resource (Path) displays additional details about the selected resource. For more information, see Resource's Governed Data view.

Related Documents