Remove groups dialog
Use the Remove groups dialog to select the groups to be included in a remove simulation. This dialog appears when you click the Select Groups button at the top of the Account Simulation view when performing a remove from groups simulation.
This dialog contains the following controls:
Table 60: Select groups dialogs: Controls
|Once groups have been selected, this list displays the groups to be included in the simulation.
|Click the Browse Groups button to display the Select User or Group dialog to locate and select the groups to be included in the simulation.
|After selecting the groups to be used in the simulation, click the Simulate button to initiate the simulation process.
|Click the Cancel button to close the dialog without saving your selections or launching a simulation.
Bringing data under governance
Controlling access to data is vital to eliminating issues such as security breaches, loss of sensitive information, or non-compliance with external and internal guidelines. You need a process that enables you to:
- Publish resources to the IT Shop.
Resource access requests are performed within the web portal for resources located in the IT Shop. For more information, see Publishing resources to the IT Shop.. Requests follow a predefined approval process where the control over whether the request is approved or denied is made by the assigned business owner and group owners.
- Create policies that allow you to set rules and guidelines surrounding data to ensure its safety, reliability, and accountability.
Policies and violations can help to identify resources that need to be placed under governance.
For a list of the governed data company policies provided with Data Governance Edition, see Governed data company policies
- Establish a data access approval and attestation process to ensure the data stays in a managed state.
Attestation reviews ensure that the business has a clear statement of an employee’s data access and ensure that access to NTFS and SharePoint data is correct.
The attestation process places responsibility for the attestation review with the data or business owner as they have the best knowledge of the data and its intended use.
For a list of the governed data attestation policies provided with Data Governance Edition, see Governed data attestation policies
What is "Governed Data"?
Placing a resource under governance
Governed data view
Removing resources from governance
Managing resources under governance
Publishing resources to the IT Shop
Managing business ownership for a resource
Calculating perceived owner
Establishing compliance policies
What is "Governed Data"?
Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data. The workflows cross the Manager and the web portal.
Through the Manager, you can:
Through the web portal, users have access to:
- IT Shop self-service access requests.
- Access certification processes that ensure proper allocations of resources.
- Policy enforcement systems.
- Views, dashboards, and reports that enable business owners to see the access employees have to all the resources they own and the resource activity on those resources.
Data is considered “governed” when one of the following actions has occurred:
Once data is "governed", the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.
The Data Governance server also periodically retrieves resource activity summary and security information which is used to calculate perceived ownership suggestions for data under governance. The activity summary information is used for populating various dashboards and views in the web portal and the perceived ownership data is used for reports.
Placing a resource under governance
Identifying data to be governed is continuously adaptive in nature. Those responsible for identifying the data may include the business owner, the administrator, the compliance officer, and managers.
Consider the following when making your selection:
- Monitor "Top Active Content" and "Top Active Users" reports and views in the web portal to locate content that is potentially valuable to the organization.
- Identify enterprise applications that provide the ability to export sensitive information in an unencrypted format.
- Identify content with several access points. For example, if content is available to "Everyone", "All Sales", or "All Employees" you would assume that it is meant for public consumption. However, there is the chance that a sensitive file may be placed in the public area either in error or through malicious intent. It is important to assign a "high risk" index to content with wide access points and bring them under control.
- Identify groups with many members and investigate their data access. Sensitive information could be inadvertently available to people through their group memberships.
- Talk to business owners. They are stakeholders in making the data governance process successful. Understand how they create content and the repositories they use — SharePoint or file servers. They can provide information about the importance of content that is created by the different "roles" in their department or organization. This can identify shares and folders that must be governed and important groups or roles from their perspective.
- Identify trends in "Resource Access Requests" in the web portal IT Shop. If there is an increase in requesting access to a share or a specific SharePoint folder — maybe the resource is a candidate to be watched for activity.
NOTE: For all managed host types, when placing a resource under governance, the resource must be a managed path or a folder or share under a managed path.
- For remote managed hosts and SharePoint managed hosts, if you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. If the managed host has more than one agent assigned, you are prompted to select the agent to which the managed path is added.
- For local managed hosts, if you are scanning managed paths (that is, there are paths in the managed paths list), and you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. However, if you are scanning the entire server (that is, the managed paths list is empty) and you place a resource under governance, no changes are made to the managed paths list and you continue to scan the entire server.
Note: On a per host basis, ensure to complete all tasks (such as adding managed paths and placing resources under governance) in the same manner — either at the share or folder level.
NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.
To place a resource under governance
- In the Navigation view, select Data Governance | Managed hosts.
- Open the Resource browser using one of the following methods:
- Double-click the required managed host in the Managed hosts view.
- Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
- Double-click through the resources to locate the required resource (folder or share).
- Select the required resource (folder or share) and select Place resource under governance from the Tasks view or right-click menu.
In the Place resource under governance dialog, confirm the display name and click Govern Resources.
When placing a share under governance, you can use the backing folder security or share permissions for self-service resource access requests in the web portal. The Use backing folder security for self-service option is selected by default and uses the backing folder security for the share. Clear this option to use the share permissions for the share.
When placing a DFS link under governance, select the type of security to be used:
- Use Folder Security: This option is selected by default and uses the backing folder security for self-service resource access requests to this governed resource. The backing folder should be accessible to the Data Governance service and the Data Governance agent service.
- Use Share Security: Select this option to use the share permissions for self-service resource access requests to this governed resource.
- Use DFS Security: Select this option to use the DFS access-based enumeration security for self-service resource access requests to this governed resource.
Back in the Resource browser, "True" now appears in the Governed Resource column. The governed resource is also added to the Governed data view.
Removing resources from governance