Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Appendix: Governed data attestation policies

One Identity Manager ships with a predefined set of attestation policies for governed data. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Attestation policies | Predefined folder in the Attestation navigation view in the Manager.

Once the schedule is enabled, attestation policies are all enabled by default. You can, however, disable an attestation policy using the Change master data task from the Attestation policy overview in the Manager.

The following attestation policies are available by default for governed data.

Table 91: Governed data attestation policies
Attestation policy Predefined approval policy Description

Data Governance: Accounts with direct access attestation

Attestation of account entitlements by employee manager.

Notify the employee marked as "responsible" for an account (that is, as a manager or as the person responsible for a particular privileged account), to attest to the entitlements of these "managed" accounts.

Data Governance: Groups with direct access attestation

Attestation of group entitlements by group owner.

NOTE: If you have Cloud managed hosts in your Data Governance Edition deployment, change this setting to one of the following:

  • Attestation by target system manager
  • Attestation of group entitlements by selected approvers

Group product owner attests single group entitlements granting direct access.

Data Governance: Resource ownership attestation

Attestation by resource owner.

Resource owner attests ownership of governed resources, thereby approving their ownership.

Data Governance: Resource security attestation

Attestation by resource owner.

Managed resource owner attests to the security configuration of governed resources, focusing on highest entitlements only.

Data Governance: Resource security deviation attestation

Attestation by resource owner.

Resource owner attests governed resources with deviations in access security.

Tips for using governed data attestations:

  • Designer: The Base Data | General | Schedules | Attestation check is enabled by default and runs daily at 16:00 PM. You can use the Start button on the Attestation check properties pane to initiate an immediate attestation check.

For more information on the One Identity Manager attestation feature, including how to define attestations, execute attestations and introduce automatic or manual correction measures, see the One Identity Manager Attestation Administration Guide.

Appendix: Governed data company policies

One Identity Manager ships with a predefined set of company policies for governed data which can be enabled. These predefined policies are available when the Data Governance Edition module is installed and can be found in the Policies | Working copies of policies | Predefined folder in the Company Policies navigation view in the Manager.

The predefined governed data policies include:

Table 92: Governed data policies
Policy Description
Access not granted on governed data for the predefined group "Everyone"

A policy violation occurs when the built-in Active Directory group "Everyone" has any access assigned.

NOTE: This company policy is not available for Cloud accounts.
Full access not granted on governed data for the predefined group "Everyone"

A policy violation occurs when the built-in Active Directory group "Everyone" has any "Full Control" access assigned.

NOTE: This company policy is not available for Cloud accounts.
Governed data must be assigned to a Classification level A policy violation occurs when governed data is found that does not have a classification level assigned.
No governed data with access assigned to accounts other than AD security groups A policy violation occurs when governed data is found with access assigned to accounts other than Active Directory security groups.
No governed data with conflicting NTFS permissions for Allow/Deny A policy violation occurs when governed data is found with conflicting Allow/Deny access assigned.
No governed data with high risk index (> 0.75) accessible by accounts of external employees A policy violation occurs when an external employee has access assigned to governed data with a high risk index.

Tips for using governed data policies:

  • Manager: Working copies of company policies are disabled by default. You can, however, enable these policies using the Enable working copy task from the Change master data view of a policy.

  • Manager: After enabling a working copy, you can use the following tasks to 'test' a working copy of a policy:
    • Show condition: Displays a list of governed data that is in violation of the selected policy.
    • Recalculate policy: Evaluates the selected policy and logs any policy violations that occurred.
  • Web portal: As a business owner of the resource, after recalculating a policy, any policy violations appear (Responsibilities | My Responsibilities | Governed Data | Policy violations).
  • Designer: The Base Data | General | Schedules | Policy check is enabled by default and runs monthly at 11:00 AM. You can use the Start button on the Policy check properties pane to initiate an immediate policy check.

For details on managing policies, see Company Policies in the One Identity Manager Company Policies Administration Guide.

Appendix: Governed data risk index functions

One Identity Manager ships with a predefined set of risk index functions used to calculate the risk index for governed data. These predefined risk index functions are available when the Data Governance Edition module is installed and can be found in the Risk index functions | Governed data (QAMDuG) | Properties folder in the Risk Index Functions navigation view in the Manager.

The predefined governed data risk index functions include:

Table 93: Governed data (QAMDuG) risk index functions
Risk index function name Description Default weighting / Change value
Attestation of data under governance Reduces the risk of a governed resource when an attestation policy is enabled. 0.02
Defined owner for data Reduces the risk of a governed resource when a business owner has been assigned. 0.01
Full access for "Everyone" Increases the risk of a governed resource when "Everyone" is granted full access to the resource. 0.2
Full access for accounts Increases the risk of a governed resource when there are accounts other than "Everyone" that is granted full access to the resource. 0.1
Last access > 30 days Reduces the risk of a governed resource when the last access date is greater than 30 days. 0.04
Last access > 60 days Reduces the risk of a governed resource when the last access date is greater than 60 days. 0.06
Last access > 90 days Reduces the risk of a governed resource when the last access date is greater than 90 days. 0.08
Last access > 180 days Reduces the risk of a governed resource when the last access date is greater than 180 days. 0.1
No classification level assigned Increases the risk of a governed resource when no classification level has been assigned. 0.1
Policy violation Increases the risk of a governed resource when a company policy violation occurs. 0.2
Published to IT Shop Increase the risk of a governed resource when the resource is published to IT Shop. 0.1
Read only access Increases the risk of a governed resource when read-only access is granted. 0.05
Write access Increases the risk of a governed resource when read and write access is granted. 0.1

Tips for using governed data risk index functions:

  • Designer: The Base Data | General | Schedules | Calculate risk indexes of governed data is disabled by default. Before risk calculations can be performed on governed data, this schedule must be enabled. You can use the Start button on the Calculate risk indexes of governed data properties pane to initiate an immediate risk index calculation.
  • Manager: The Data Governance Edition risk index functions are enabled by default. You can, however, disable a risk index function using the Change master data task on the Function overview.
  • Web portal: As a business owner, you can see the risk index assigned to owned resources (Responsibilities | My Responsibilities | Governed Data | All my resources ).
  • Web portal: As a business owner, you can see what functions contributed to the calculated risk index (Responsibilities | My Responsibilities | Governed Data | All my resources | <selected resource> | Risk).

For more information on One Identity Manager's risk assessment feature, see the One Identity Manager Risk Assessment Administration Guide.

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

  • Submit and manage a Service Request
  • View Knowledge Base articles
  • Sign up for product notifications
  • Download software and technical documentation
  • View how-to-videos
  • Engage in community discussions
  • Chat with support engineers online
  • View services to assist you with your product
Related Documents