Classification Module 6.1.1 - User Guide

In Identity Manager, each category is assigned a risk. A classification taxonomy maps those risks to the classifications in your system. The default classification taxonomy has the following risk settings:

If a category risk falls on the border between classifications, the resource is classified at the higher level - for example Internal, not Public. You cannot delete or rename these classifications.

If you have implemented the Titus Commercial taxonomy, the categories in the taxonomy are automatically mapped to these classifications. For more information, see Titus Commercial Taxonomy. Categories in other taxonomies must be assigned a category risk in order for classification to occur.

Classification and resource risk index considers the risk on inherited categories when performing calculations. Consider a taxonomy with the following categories: Taxonomy A Category 1 has a risk of .9 Category 2 has a risk of 0 If you apply Category 2 to a resource, the Classification risk on the resource will be Secret and the resource risk will take the .9 into effect when it is calculated. This happens because Category 1 is indirectly applied to the resource.

You can manipulate the relationship between category risk and classification, or create your own classifications. Each classification has the following properties:

To modify an existing classification

1. Select Governed Data | Taxonomy Manager.
2. If necessary, select Classifications.
3. Click the classification you want to modify.
4. Click Master Data.
5. Make any changes, and click Save Changes.

To create a new classification

1. Select Governed Data | Taxonomy Manager.
2. If necessary, select Classifications.
3. Click New Classification.
4. Provide a name, classification risk index, and if desired, a taxonomy.
5. Click Save.
   Your classification is saved, but will not result in classifications until you create an associated classification rule.
6. Click Master Data.
7. Click New classification rule.
8. Set the range for the category risk that will cause this classification to occur.
9. Click Save.

To delete a classification

1. Select Governed Data | Taxonomy Manager.
2. If necessary, select Classifications.
3. Select the desired classification and click Master Data.
4. Click Delete.

You can view the resources in each of the classifications in your system. Classification is an indication of the risk of the content in a resource. If you are a business owner, and want to see how your owned resources are classified, the information is contained in the hyperview on the Overview tab for the resource. Classification analysts and business owners can use the Classified Resources view: classification analysts can get an overview of classification across the deployment, and business owners can view their owned and classified resources.

To view classified resources

1. Select Governed Data | View Resources | Classifications.
2. Click a classification.
3. Click Resources.
4. Select the host for the resources.

Automatic categorization follows this process:

1. The text is extracted from the resource.
2. All rules are run against the resource, and the matches are noted.
3. The matches are compared to the available automated categories in the system, which results in a list of potential categorizations.
4. Based on the category settings, categorization may occur.
5. Based on the category risk, classification of governed resources may occur.

Only resources on scanned hosts with classification turned on are eligible for categorization. For more information, see Enable and Disable Automatic Classification on Specific Managed Hosts.

You should work with your Data Governance administrator to ensure you understand when classification occurs, particularly as you implement changes in the production environment. There are a number of factors that influence the timing of classification:

• For each host (for example, remote server, SharePoint farm) on which you are categorizing resources, a scan schedule can be set. Categorizations on new resources, and changes to categorizations based on changes to the taxonomies in your environment occur based on this schedule.
• The time a scan takes is a function of both the amount of data on the host, and various deployment variables. For more information, see Classification Overview.
• Some types of hosts watch for changes to content. When resources are added to the monitored data roots on the host or existing resources are changed, all rules are run against the resource and any resulting changes will be immediately reflected.

  For information on configuration options for local, remote, and SharePoint managed hosts, see the Quest One Identity Manager Data Governance Edition User Guide.

When is a security root initially categorized?

When are newly added/modified files categorized?

Local NTFS	When creation/modification detected by live change watching or when an agent is restarted.
Remote managed host (NetApp, EMC, and Windows)	When creation/modification detected by live change watching, or on the next scheduled scan, or an agent restart if the “Immediately scan on agent restart” option is enabled.
SharePoint	On the next scheduled scan or on an agent restart if the “Immediately scan on agent restart” option is enabled.

When does a file re-classification occur?

For all types of hosts:

• Resources will be re-classified if the file has been changed
• When the Request-QClassification cmdlet is run on the managed host where the file is located. This cmdlet re-classifies all files. This is useful if you have updated your rules and all files need to be reclassified.

What happens when an agent is restarted?

Local NTFS	All security roots are re-scanned and files that were not classified are sent for classification.
Remote managed host (NetApp, EMC, and Windows) SharePoint	If the “Immediately scan on agent restart” option is enabled, all security roots are re-scanned and files that were not classified are sent for classification

Importing and exporting taxonomies allow you to move taxonomies between environments. For example, if you maintain a development environment, when you are ready to deploy an update, you can export from your development environment and import to your production environment. Or if a consultant provides you with a taxonomy, you would use import to bring it into your system.

Taxonomies consist of categories, which are associated with rules, which in turn may refer to extractors. By default the rules are included in an export, and extractors are not, but you can control what is exported. Remember that rules and extractors can be shared across multiple taxonomies, so you should not change them in isolation without understand where else your changes may have an effect. For more information, see How Rules Affect Categorization. You may need to export more than one taxonomy in order to fully test any changes.

The result of an export is an XML file that contains all of the information and settings for a taxonomy. You can make changes directly in the XML file, or you can use the tools provided in the system. For information on the XML structure in a template file, see Working with a Taxonomy XML File.

Importing is a powerful tool and should be used carefully, as it can immediately have a significant impact on categorization. When you import a taxonomy into an environment where an older version of the same taxonomy exists, the changes are merged as follows:

• New categories are added to the taxonomy
• Changes to the settings on existing categories are applied
• New rules and extractors are added
• Changes to existing rules and extractors are applied
• No categories are removed, even if they have been removed in the imported taxonomy. Removing categories should be done with care. For more information, see Managing the Life Cycle of Taxonomies and Categories

When you import a taxonomy into your production environment, you should closely control your published settings. Any category that is published is immediately available for business owners to use in manual categorization. Any category that is available for automation can be applied by any scan following the import, or to any resource whose content is being monitored for changes. When you import a taxonomy into your development environment, you may prefer to have all categories published to aid in testing. You can choose what publish settings you want on import. You must know the location of the XML file that contains the template.

To export a taxonomy

1. Determine the ID of the taxonomy you want to export.
   See Finding a Taxonomy or Category ID using PowerShell for details.
2. Run the Export-QTaxonomy cmdlet with the following mandatory parameters:
   1. ServerAddress
      Provide the name of the computer hosting the Data Governance server, and the port. Enter in the form computername:port number. The default port is 8723.
   2. TaxonomyId
3. If desired, you can set the following optional parameters:
   1. IncludeRules
      Set this to $false if you do not want to export the rules. The default is $true.
   2. IncludeEntityExtractors
      Set this to $true if you want to export extractors. The default is $false.
   3. OutputFile
      Provide the path to a file to store the template XML. This allows you to edit it and then re-import it.
      The taxonomy will be output to the screen if you skip this step.

To import a taxonomy

1. Run the Import-QTaxonomy cmdlet with the following mandatory parameters:
   1. ServerAddress
      Provide the name of the computer hosting the Data Governance server, and the port. Enter in the form computername:port number. The default port is 8723.
   2. TemplateXmlFile
      Provide the full path and name of the file containing the template.
2. If desired, you can set the following optional parameters:
   1. AllowMergeTaxonomy
      Unless this is set to $true, if this taxonomy exists in your system already, your taxonomy will not import. This allows you to confirm your intention to merge the changes with your existing taxonomy. The default value is $false.
   2. ForcePublishAllCategories
      If you set this to $true, all categories are published at import, regardless of their current settings. The default setting of $false respects the publish settings of the imported taxonomy.