Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Background operations

Background operations view

Selecting Background operations in the Data Governance navigation view allows you to view the progress of various background operations, including:

  • Log export operations
  • Account access operations submitted from the Manage access view.

The following table describes the information displayed for current background operations.

Table 22: Background operations view: Default columns
Column title Description
Description A description of the background operation being processed by Data Governance Edition.
Status The status of the background operation.
Resource The resource involved in the operation.
Operation The background operation being processed.
Start Time The date and time (UTC) the operation began.
End Time The date and time (UTC) the operation completed.

In addition to the default columns, you can add the following columns to the view using the Column Chooser command.

NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.

To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.

Table 23: Background operations view: Hidden columns
Column title Description
Enqueued Time The date and time (UTC) the operation was added to the background queue.
Error Any errors encountered during the background operation.

Resource browser

The Resource browser provides a live view of the data on the selected managed host. Using the Resource browser, you can browse through the supported files system to view and manage security information for folders and shares on the target managed host.

The Resource browser displays the following information:

  • For a Windows computer, the shares and file system display.
  • For a SharePoint farm, each farm is represented as a hierarchy, with the farm as the top level, followed by web applications, site collections, sites and then the contents of the site. The contents of a list are shown as “list item”, regardless of the type of item in SharePoint. The Resource browser displays a list of the web applications on the selected farm.
  • For a Distributed File System Root, links are displayed at the top level. Browsing into a link shows its target paths and browsing into a target path takes you to the appropriate backing folder. While browsing a backing folder, the Distributed File System path is shown in the Location field at the top of the page.
  • For Cloud managed hosts, each site is represented by a folder hierarchy, with the Home top level site displayed as Site contents folder, followed by all other subsites. Each site contains a Site contents folder encompassing other nested folders. The contents of a site and document library are shown as 'folder' type, whereas, files are shown as 'file' type items. No other resource types are managed for Cloud managed hosts.

    NOTE: The resource browser and resource access reports do not display the limited access users or "previewer" accounts.

You can display the Resource browser from the following views:

  • Managed hosts view
  • Accounts view
  • Governed data view

Double-click through the resources to locate a resource. Depending on the resource type, you can perform the following tasks against the selected resource.

Table 24: Resource browser: Resource tasks
Task Description For more information
Calculate perceived owners Calculates and provides a list of the perceived owners for the selected resource using the resource activity history or security information. Calculating perceived owner
Copy resource path Copies the full path of the selected resource to the clipboard.  
Copy Share Path Copies the path of the selected Share to the clipboard.  
Edit host settings Launches the Managed Host Settings dialog allowing you to view or edit the configuration settings for the selected managed host. Editing managed host settings

Place resource under governance

Places the selected resource under governance, making it available for use in policies and attestations.

NOTE: Only applies to folders and shares. That is, you cannot place a file under governance.
Placing a resource under governance
Publish to IT Shop

Publishes the selected resource(s) to the IT Shop, making it available for employees and business owners to request and grant access to it. If applicable, also places the resource(s) under governance.

NOTE: Only applies to folders and shares. That is, you cannot publish a file to the IT Shop.

NOTE: Not available for resources on NFS managed hosts.

NOTE: Not available for resources on Cloud managed hosts.
Publishing resources to the IT Shop
Refresh Retrieves and displays the latest details in the Resource browser.  
Remove resources from governance Removes the selected resource(s) from governance. Removing resources from governance
Resource access report Generates a report that identifies the accounts that have access to specific resources within your environment.

Resource access report

Viewing selected reports within the Manager

Resource activity report

Generates a report that provides a list of activities recorded over a period of time to verify proper resource usage and decide whether to remove access for particular accounts.

NOTE: Not available for resources on Cloud managed hosts.

Resource activity report

Viewing selected reports within the Manager

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options
Unpublish from IT Shop

Removes a previously published resource from the IT Shop.

NOTE: Not available for resources on NFS managed hosts.

NOTE: Not available for resources on Cloud managed hosts.
Publishing resources to the IT Shop
View deviations

Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security.

NOTE: Not available for resources on NFS managed hosts.

NOTE: Not available for resources on Cloud managed hosts.
Managing security deviations
View governed data details Displays a graphical representation of the details available for governed resources.  

When an account in the resource's permissions pane (lower pane) is selected, you can perform the following tasks against the selected account.

Note: These account tasks are not available for resources on NFS managed hosts.

Table 25: Resource browser: Account tasks
Task Description For more information
Account access report Generates a report displaying the account's resource access across all managed hosts within the enterprise. Selecting this task displays the Account Access dialog allowing you to define the report parameters for running the Account access report.

Account access report

Viewing selected reports within the Manager

Account comparison

Displays the Account Comparison view allowing you to compare the resource access of two accounts.

NOTE: This feature is not available for Cloud accounts.
Comparing accounts
Account simulation

Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.

NOTE: This feature is not available for Cloud accounts.
Simulating the effects of group membership modifications on an account
Add rights Launches the Add Permissions dialog allowing you to manage a user or group's access to the selected resource. From this dialog, you can add or edit an account's access as required.

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

Manage access

Displays the Manage access view that shows the managed hosts where the selected account has access. From here, you can also view detailed group membership information.

Manage access view

Managing account access

Remove all explicit permissions Removes all explicitly assigned permissions from the selected resource. Managing security deviations
Remove selected permissions Removes the selected permissions from the selected resource.

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

In addition, you can access the following views from the Resource browser.

Table 26: Resource browser: Views
View Description For more information
Governed data Displays the Governed data view to view all the resources within the selected host that have been placed under governance.

Governed data view

Managing resources under governance

Accounts view

Displays the security index information returned by Data Governance agents for the selected managed host.

NOTE: Not available for NFS managed hosts.
Accounts view
Related Topics

Add permissions dialog

Permission levels dialog

Add permissions dialog

The Add Permissions dialog allows you to add rights to a given account. This dialog appears when you select the Add rights task from the Resource browser or Deviations view.

This dialog contains the following controls.

Table 27: Add permissions dialog: Controls
Page Control Description
Select accounts Select this object type This field is pre-populated with the appropriate object type(s) based on the task that launched the dialog.
Object Types Click the Object Types button to change the types of objects to be searched. Clicking this button displays a list of object types from which you can select from.
From this location This field is pre-populated with the local domain to be searched.
Locations Click the Locations button to change the location to be searched. Clicking this button displays a list of reference domains from which you can select from.
Enter the object names to select Enter the name or partial name of the object to be located.
Check names After entering the object name, click the Check names button to search for the specified objects.
Objects list

If a single object is found that matches the object name (or partial name), it appears in the objects list.

If multiple objects are found that match the object name (or partial name), the Multiple Names Found dialog appears, allowing you to select one or more objects from the list. Click OK to save your selection and close the dialog. The objects selected now appear in the object list.

To remove an object from this list, right-click an object and select Remove.

Advanced Use the Advanced button to specify a more advanced query for locating an object. Clicking this button displays the Select Users, Computers or Groups dialog to specify the query to be used to locate the object.
Import Use the Import button to import a previously exported QAM Account list (*.qamtl file).
Export Use the Export button to export the currently displayed list of objects to a QAM Account list (*.qamtl file).
Permissions Apply To

Use this field to specify the scope of coverage. Valid options are:

  • This folder only
  • This folder, subfolders and files (default)
  • This folder and subfolders
  • This folder and files
  • Subfolders and files only
  • Subfolders only
  • Files only
Permission Select the corresponding check box to apply or deny a particular permission.
Apply these permissions to objects and/or containers within this container only Select this option to apply the selected permissions to objects and/or containers within the selected container only.

Use the buttons across the bottom of the dialog to navigate through the dialog and to save your selections.

Table 28: Add Permissions dialog: Buttons
Button Description
Next After selecting an account on the Select Accounts page, select the Next button to display the Permissions page to choose the permissions to be applied to the selected accounts.
Back If you need to return to the Select Accounts page, select the Back button on the Permissions page.
Finish Once you have chosen the permissions to be applied to the selected accounts, click the Finish button to save your selections and close the dialog.
Cancel

Click the Cancel button to close the dialog without saving your selections.

Related Topics

Object types dialog

Locations dialog

Select users, computers or groups dialog

Name Not Found dialog

Object types dialog

The Object types dialog allows you to select the types of objects to be searched: Users, Groups, Computers, or Built-in security principals. This dialog appears when you select the Object Types button on the Select objects dialog or Add permissions dialog.

This dialog contains the following controls.

Table 29: Object Types dialog: Controls
Control Description
Object types Provides a list of object types that can be included in search for objects. Click the check box to the left of an object type to select it. Clear the check box to exclude the object type from the search.
OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Related Documents