Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2 - User Guide

User Guide Introduction Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Account simulation results

The account simulation feature allows you to simulate changes to group membership before making any changes to the group membership.

  • For a "Add to Groups" simulation, you can see the resources the selected account will have access to if added to the specified groups.
  • For a "Remove from Groups" simulation, you can see the resources the selected account would no longer have access to if removed from the specified groups.

The results generated by an account simulation contain the following details:

Table 47: Account simulation results
Column Description
Simulation Type

The type of simulation performed:

  • Right Granted
  • Right Revoked
Resource Name The name of the resource, to which the account would be granted access or revoked access.
Resource Type The type of resource.
Right

The access rights that would be granted or revoked.

  • For a "Add to groups" simulation, the right to be granted is prefaced with a plus sign symbol.
  • For a "Remove from groups" simulation, the right to be revoked is prefaced with a minus sign symbol.
Via Group

The name of the group through which access would be granted or revoked.

Governed Resource

Indicates whether the resource is governed.

  • True: Resource is governed.
  • Blank: Resource is not governed.

Bringing data under governance

Controlling access to data is vital to eliminating issues such as security breaches, loss of sensitive information, or non-compliance with external and internal guidelines. You need a process that enables you to:

  • Assign business owners.

    Assigning the business owner for a resource to establish the custodian for data should be done with care. This identity can be identified through various reports. For more information, see Managing business ownership for a resource.

    Note: The assignment of a business owner is an essential component of data governance as this role is inherently part of the compliance workflows. You do not need to assign an owner when you place a resource under governance; however, you cannot assign an owner unless the resource is governed.

  • Publish resources to the IT Shop.

    Resource access requests are performed within the web portal for resources located in the IT Shop. For more information, see Publishing resources to the IT Shop. Tickets follow a predefined approval process where the control over whether the request is approved or denied is made by the assigned business owner and group owners.

  • Create policies that allow you to set rules and guidelines surrounding data to ensure its safety, reliability, and accountability.

    Policies and violations can help to identify resources that need to be placed under governance.

    For a list of the governed data company policies provided with Data Governance Edition, see Governed data company policies

  • Establish a data access approval and attestation process to ensure the data stays in a managed state.

    Attestation reviews ensure that the business has a clear statement of an identity’s data access and ensure that access to NTFS and SharePoint data is correct.

    The attestation process places responsibility for the attestation review with the data or business owner as they have the best knowledge of the data and its intended use.

    For a list of the governed data attestation policies provided with Data Governance Edition, see Governed data attestation policies

What is "Governed Data"?

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data. The workflows cross the Manager and the web portal.

Through the Manager, you can:

  • Place resources (folders or shares) under governance.

  • Publish resources (folders or shares) to the IT Shop, thereby enabling self-service requests that provide compliance checks.

    Note: Publishing resources to the IT Shop is not available for resources on NFS or Cloud managed hosts.

  • Identify and assign the business owner for data.
  • Create access policies to ensure a system of least privileges

Through the web portal, users have access to:

  • IT Shop self-service access requests.
  • Access certification processes that ensure proper allocations of resources.
  • Policy enforcement systems.
  • Views, dashboards, and reports that enable business owners to see the access identities have to all the resources they own and the resource activity on those resources.

Data is considered “governed” when one of the following actions has occurred:

Once data is "governed", the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

The Data Governance server also periodically retrieves resource activity summary and security information which is used to calculate perceived ownership suggestions for data under governance. The activity summary information is used for populating various dashboards and views in the web portal and the perceived ownership data is used for reports.

Placing a resource under governance

Identifying data to be governed is continuously adaptive in nature. Those responsible for identifying the data may include the business owner, the administrator, the compliance officer, and managers.

Consider the following when making your selection:

  • Monitor "Top Active Content" and "Top Active Users" reports and views in the web portal to locate content that is potentially valuable to the organization.
  • Identify enterprise applications that provide the ability to export sensitive information in an unencrypted format.
  • Identify content with several access points. For example, if content is available to "Everyone", "All Sales", or "All Identities" you would assume that it is meant for public consumption. However, there is the chance that a sensitive file may be placed in the public area either in error or through malicious intent. It is important to assign a "high risk" index to content with wide access points and bring them under control.
  • Identify groups with many members and investigate their data access. Sensitive information could be inadvertently available to people through their group memberships.
  • Talk to business owners. They are stakeholders in making the data governance process successful. Understand how they create content and the repositories they use — SharePoint or file servers. They can provide information about the importance of content that is created by the different "roles" in their department or organization. This can identify shares and folders that must be governed and important groups or roles from their perspective.
  • Identify trends in "Resource Access Tickets" in the web portal IT Shop. If there is an increase in requesting access to a share or a specific SharePoint folder — maybe the resource is a candidate to be watched for activity.

NOTE: For all managed host types, when placing a resource under governance, the resource must be a managed path or a folder or share under a managed path.

  • For remote managed hosts and SharePoint managed hosts, if you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. If the managed host has more than one agent assigned, you are prompted to select the agent to which the managed path is added.
  • For local managed hosts, if you are scanning managed paths (that is, there are paths in the managed paths list), and you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. However, if you are scanning the entire server (that is, the managed paths list is empty) and you place a resource under governance, no changes are made to the managed paths list and you continue to scan the entire server.

Note: On a per host basis, ensure to complete all tasks (such as adding managed paths and placing resources under governance) in the same manner — either at the share or folder level.

NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.

To place a resource under governance

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. Double-click through the resources to locate the required resource (folder or share).
  4. Select the required resource (folder or share) and select Place resource under governance from the Tasks view or right-click menu.

  5. In the Place resource under governance dialog, confirm the display name and click Govern Resources.

    When placing a share under governance, you can use the backing folder security or share permissions for self-service resource access requests in the web portal. The Use backing folder security for self-service option is selected by default and uses the backing folder security for the share. Clear this option to use the share permissions for the share.

    When placing a DFS link under governance, select the type of security to be used:

    • Use Folder Security: This option is selected by default and uses the backing folder security for self-service resource access requests to this governed resource. The backing folder should be accessible to the Data Governance service and the Data Governance agent service.
    • Use Share Security: Select this option to use the share permissions for self-service resource access requests to this governed resource.
    • Use DFS Security: Select this option to use the DFS access-based enumeration security for self-service resource access requests to this governed resource.

Back in the Resource browser, "True" now appears in the Governed Resource column. The governed resource is also added to the Governed data view.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating