Account access management
As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.
The following commands are available to you to manage account access.
|
Use this command |
If you want to | ||
|---|---|---|---|
|
Get-QAccountAccess |
View where users and groups have access on a managed host.
| ||
|
Get-QAccountAccessOnHosts |
View the resource access for a given account (Domain\SAMAccountName) across all available hosts.
| ||
|
Get-QAccountActivity |
View the activity associated with a user on a managed host.
| ||
|
Get-QAccountAliases |
View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access. | ||
|
Get-QAccountsForHost |
View all account access for a specific managed host. | ||
|
Get-QADAccount |
View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup. | ||
|
Get-QGroupMembers |
View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource. | ||
|
Get-QIndexedTrustees |
View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee. |
Resource access management
A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.
The following commands are available to you to manage resource access.
|
Use this command |
If you want to | ||
|---|---|---|---|
|
Export-QResourceAccess |
Export the security information on a selected resource. | ||
|
Get-QChildResources |
View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares. In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.
| ||
|
Get-QFileSystemSearchResults |
Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once. | ||
|
Get-QHostResourceActivities |
Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.
| ||
|
Get-QPerceivedOwners |
Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.
| ||
|
Get-QResourceAccess |
Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent. | ||
|
Get-QResourceActivity |
Retrieve the activity associated with a resource.
| ||
|
Get-QResourceSecurity |
View the security on a given resource in the SSDL format. | ||
|
Set-QResourceSecurity |
Set security on a given resource.
|
Governed data management
Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.
The following commands are available to you to manage governed data.
|
Use this command |
If you want to | ||
|---|---|---|---|
|
Get-QDataUnderGovernance |
View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop. | ||
|
Get-QPerceivedOwnerPoI |
View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment. | ||
|
Get-QSelfServiceClientConfiguration |
View the options that are available for self-service requests within the IT Shop. | ||
|
Get-QSelfServiceMethodsToSatisfyRequest |
View the group membership that is required to satisfy an access request. When employees request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that employee could be added to fulfill their request.
| ||
|
Remove-QDataUnderGovernance |
Remove data from governance.
| ||
|
Set-QBusinessOwner |
Set the business owner on a governed resource to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role. | ||
|
Set-QDataUnderGovernance |
Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations. You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role. | ||
|
Set-QSelfServiceClientConfiguration |
Set the options that are available for self-service requests within the IT Shop. | ||
|
Trigger-QDataUnderGovernanceCollection |
Trigger data collection for governed resources for a given managed host. | ||
|
Upgrade-QDataUnderGovernanceRecords |
Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.
|
Classification management
Classification is included in Data Governance Edition, however you should first define the classification levels in Data Governance Edition to match those defined by your company. Once defined, you can use these classification levels to classify governed resources.
The following commands are available to manage the classification levels used in your Data Governance Edition deployment and to assign a classification level to a governed resource.
|
Use this command |
If you want to |
|---|---|
|
Add-QClassificationLevel |
Define a new classification level for use in your Data Governance Edition deployment. |
|
Get-QClassificationLevelConfiguration |
Retrieve details about the classification levels configured in your Data Governance Edition deployment. |
|
Get-QDataUnderGovernanceByClassificationLevel |
Retrieve a list of governed resources assigned a specific classification level. |
|
Remove-QClassificationLevel |
Remove a classification level from your Data Governance Edition deployment. |
|
Set-QClassificationLevel |
Update an existing classification level in your Data Governance Edition deployment. |
|
Set-QClassificationLevelOnDug |
Assign a classification level to a governed resource. |