Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Account access management

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

The following commands are available to you to manage account access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 87: Account access management commands

Use this command

If you want to

Get-QAccountAccess

View where users and groups have access on a managed host.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAccessOnHosts

View the resource access for a given account (Domain\SAMAccountName) across all available hosts.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountActivity

View the activity associated with a user on a managed host.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAliases

View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access.

Get-QAccountsForHost

View all account access for a specific managed host.

Get-QADAccount

View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup.

Get-QGroupMembers

View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource.

Get-QIndexedTrustees

View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.

Resource access management

A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.

The following commands are available to you to manage resource access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 88: Resource access management commands

Use this command

If you want to

Export-QResourceAccess

Export the security information on a selected resource.

Get-QChildResources

View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares.

In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QFileSystemSearchResults

Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once.

Get-QHostResourceActivities

Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QPerceivedOwners

Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.

NOTE: The perceived owner for data is calculated from the resource activity history or security information collected by Data Governance Edition. Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database.

Get-QResourceAccess

Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent.

Get-QResourceActivity

Retrieve the activity associated with a resource.

NOTE: Resource activity collection (and therefore this cmdlet) is not supported for the following host types:

  • Windows Cluster/Remote Windows Computer
  • Generic Host Type
  • EMC Isilon NFS Device
  • SharePoint Online
  • OneDrive for Business

Get-QResourceSecurity

View the security on a given resource in the SSDL format.

Set-QResourceSecurity

Set security on a given resource.

NOTE: The existing security descriptor is completely replaced.

Governed data management

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.

The following commands are available to you to manage governed data. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 89: Governed data management commands

Use this command

If you want to

Get-QDataUnderGovernance

View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop.

Get-QPerceivedOwnerPoI

View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment.

Get-QSelfServiceClientConfiguration

View the options that are available for self-service requests within the IT Shop.

Get-QSelfServiceMethodsToSatisfyRequest

View the group membership that is required to satisfy an access request.

When employees request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that employee could be added to fulfill their request.

NOTE: This PowerShell cmdlet does not support NFS or Cloud resources (since these types of resources cannot be published to the IT Shop).

Remove-QDataUnderGovernance

Remove data from governance.

NOTE: Removing a resource from governance, also removes it from the IT Shop.

Set-QBusinessOwner

Set the business owner on a governed resource to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.

Set-QDataUnderGovernance

Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.

Set-QSelfServiceClientConfiguration

Set the options that are available for self-service requests within the IT Shop.

Trigger-QDataUnderGovernanceCollection

Trigger data collection for governed resources for a given managed host.

Upgrade-QDataUnderGovernanceRecords

Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.

NOTE: This is a requirement for upgrading to version 6.1.2 or 6.1.3.

Classification management

Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. Once defined, you can use these classification levels to classify governed resources.

The following commands are available to manage the classification levels used in your Data Governance Edition deployment and to assign a classification level to a governed resource. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 90: Group template management commands

Use this command

If you want to

Add-QClassificationLevel

Define a new classification level for use in your Data Governance Edition deployment.

Get-QClassificationLevelConfiguration

Retrieve details about the classification levels configured in your Data Governance Edition deployment.

Get-QDataUnderGovernanceByClassificationLevel

Retrieve a list of governed resources assigned a specific classification level.

Remove-QClassificationLevel

Remove a classification level from your Data Governance Edition deployment.

Set-QClassificationLevel

Update an existing classification level in your Data Governance Edition deployment.

Set-QClassificationLevelOnDug

Assign a classification level to a governed resource.

Related Documents