only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND
CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters
LEGAL Dept 5 Polaris Way
Aliso Viejo, CA 92656 email: [email protected]
Refer to our Web site (www.quest.com) for regional and international office information. Trademarks
Quest, Quest Software, the Quest Software logo, and Simplicity at Work are trademarks of Quest Software and its subsidiaries. See http://www.quest.com/legal/trademarks.aspx for a complete list of Quest Software’s trademarks. Other trademarks are property of their respective owners.
Quest One Identity Manager Data Governance Edition - Classification Module - User Guide Updated - December 2013
Software Version - 6.1.2
Third Party Contributions
Quest One Identity Manager contains some third party components (listed below). Copies of their li-censes may be found at http://www.quest.com/legal/third-party-licenses.aspx.
COMPONENT LICENSE OR ACKNOWLEDGEMENT
.Less 1.3.1 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses. Apache 2.0 License.
Apache Commons 2.4 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses. Apache 2.0 License.
Apache Tomcat 7.0 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses. Apache 2.0 License.
asm 3 Copyright (c) 2000-2011 INRIA, France Telecom All rights reserved. Project License - INRIA, France Telecom.
Boost 1.34.1 Boost Software License - Version 1.0 - August 17th, 2003. Boost 1.0 License.
cherrypy 3.1.1 Copyright (c) 2002-2008, CherryPy Team ([email protected]) All rights reserved. BSD 4.4 License
commons-httpclient 4 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses. Apache 2.0 License.
CyberNeko 1.9 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses. Apache 2.0 License.
Dojo Toolkit 1.8.3 Copyright. All Rights Reserved. BSD Simple License.
dom4j 1.6.1 Copyright 2001-2005 (c) MetaStuff, Ltd. All Rights Reserved. This product includes software developed by dom4j(http:// www.dom4j.org/). Dom4J 1.6.1 License.
Erlang 16 ERLANG PUBLIC LICENSE Version 1.1. Erlang Public License 1.1 Google Open Sans 1.0 Copyright (c) January 2004 (http://www.apache.org/licenses). Apache
2.0 License.
Java SE 6 javase-6 Nov 30, 2011
Java Mozilla HTML Parser 0 Mozilla Public License (MPL) 1.1
JCIFS 1.3.14 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
GNU Lesser General Public License 2.1
jcrop 0.9.9 Copyright (c). MIT License.
jinja2 2.6 Copyright 2009 Jinja Team Some rights reserved. jTDS SQL Server Driver 1.2 Copyright (c) 2007 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
GNU LGPL Version 3, 29 June 2007 JQuery 1.7.1 Copyright (c). MIT License.
Log4Net 1.2.11 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses/. Apache 2.0 License.
Mono.Security 2.0.3600.1 Copyright (c). MIT License. Novell.Directory.LDAP 2.1.9.0 Copyright (c). MIT License.
Newtonsoft.Json.dll 5.0.6 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Soft-ware"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAM-AGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Ontopia 5 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses/. Apache 2.0 License.
Open SSL 0.9.8b This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
This product includes cryptographic software written by Eric Young ([email protected])
This product includes software written by Tim Hudson ([email protected]).
pyodbc 2.1.3 Copyright (c). MIT License
Python 2.5.4 Copyright 2001-2006 Python Software Foundation All rights reserved.
Copyright 1995-2001 Corporation for National Research Initiatives. All rights reserved.
Copyright 1991-1995 Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved.
PJL Compressing Filter 1 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses/. Apache 2.0 License.
SharpZipLib 0.85.4.369 SharpZipLib License SQLAlchemy 0.5.0 Copyright (c). MIT License spin.js 1.2.2 Copyright (c). MIT License. Task Scheduler Managed
Wrapper 1.9.4
Copyright (c). MIT License
tika-app 1 Apache License Version 2.0, January 2004 http://www.apache.org/ licenses/. Apache 2.0 License.
UUID 3 Copyright (c). MIT License.
Windows Installer XML toolset (aka WIX) 3.6.3303.0
Microsoft Reciprocal License (MS-RL) License
Xalan Java 2.7.1 The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reser-ved. Apache 1.1 License.
ZLib.NET 1.0.3 Copyright (c) 2006, ComponentAce (http://www.componentace.com). All rights reserved.
INTRODUCTION . . . .3
ABOUTTHIS GUIDE. . . 4
SYSTEM REQUIREMENTS . . . 4
MINIMUM REQUIRED PERMISSIONS. . . 5
REQUIRED PORTS. . . 6
PERFORMANCE CALCULATIONS . . . 7
ADJUSTING CPU THROTTLING LEVELS. . . 8
DEPLOYING CLASSIFICATIONIN IDENTITY MANAGER . . . .9 CLASSIFICATION OVERVIEW. . . 10 REQUIRED COMPONENTS. . . 11 COMPONENT WORKFLOW. . . 12 WORKFLOW DETAILS. . . 13 ACTIVATING CLASSIFICATION . . . 14
INSTALL THE CLASSIFICATION COMPONENTS. . . 14
ENABLE CLASSIFICATIONINTHE DESIGNER . . . 14
IDENTIFYTHE CLASSIFICATION SERVICE ACCOUNT . . . 15
DEPLOY THE CLASSIFICATION SERVER. . . 16
DEPLOY CLASSIFICATION WORKERS . . . 17
ENABLEAND DISABLE AUTOMATIC CLASSIFICATIONON SPECIFIC MANAGED HOSTS. . . 19
CLASSIFICATION APPLICATION ROLES. . . 22
TROUBLESHOOTINGTHE CLASSIFICATION DEPLOYMENT . . . 24
CONFIGURING CLASSIFICATION: TAXONOMIES, CATEGORIES, AND RULES . . . .25
AN OVERVIEWOF CLASSIFICATION CONFIGURATION . . . 26
STEPS REQUIREDTO IMPLEMENT CLASSIFICATION . . . 27
CREATING TAXONOMIES . . . 28
WORKINGWITH TAXONOMIES. . . 28
WORKINGWITH CATEGORIES. . . 34
IMPLEMENTING RULES FOR AUTOMATED CATEGORIZATION. . . 43
HOW RULES AFFECT CATEGORIZATION . . . 44
MANAGING RULES INTHE CLASSIFICATION SYSTEM . . . 48
WORKINGWITH TEXT EXTRACTORS . . . 56
TESTING AND REVIEWING AUTOMATED CLASSIFICATION. . . 71
MAKING A CATEGORY AVAILABLETOTHE CLASSIFICATION SYSTEM . . . 77
CLASSIFYING RESOURCES . . . 78
WORKINGWITH CLASSIFICATION TAXONOMIES . . . 78
VIEWING CLASSIFIED RESOURCES. . . 80
TAXONOMY DEPLOYMENT CONSIDERATIONS . . . 82
DEPLOYINGA TAXONOMY . . . 83
MODIFYING A PRODUCTION TAXONOMY. . . 84
WORKING WITH CATEGORIZED RESOURCES . . . .87
WORKING WITH THE CATEGORIZATIONOF YOUR RESOURCES. . . 87
WHAT CATEGORIES CAN YOU APPLY? . . . 88
WORKING WITH MANUALLY CATEGORIZED RESOURCES . . . 88
WORKING WITH AUTOMATICALLY CATEGORIZED RESOURCES. . . 91
CATEGORIZATION STATISTICS AND VIEWS . . . 92
APPENDIX A: POWERSHELL COMMANDS . . . .93
ADDINGTHE POWERSHELL SNAP-INS . . . 94
FINDINGA TAXONOMY, CATEGORY, OR EXTRACTOR ID USING POWERSHELL. . . 94
DEPLOYINGTHE CLASSIFICATION SERVERAND THE CLASSIFICATION WORKER. . . 95
RE-CLASSIFYING DATA. . . 96 TROUBLESHOOTING DEPLOYMENT. . . 96 MANAGING TAXONOMIES. . . 97 TAXONOMY MANAGEMENT . . . 97 CATEGORY MANAGEMENT . . . 98 RULES MANAGEMENT. . . 99
TEXT EXTRACTOR MANAGEMENT . . . 99
CLASSIFICATION ANALYSIS . . . .100
APPENDIX B: ORACLE CONFIGURATION. . . .103
USINGAN ORACLE DATABASEFOR CLASSIFICATION . . . .104
APPENDIX C: CLASSIFYING DATAWITH DATA GOVERNANCE TEMPLATES. . . .107
AVAILABLE TEMPLATES. . . .108
WORKINGWITH THE SAMPLE TAXONOMY TEMPLATES. . . .108
SAMPLE ADVANCED TEXT EXTRACTORS DETAILS. . . .112
APPENDIX D: CREATINGA TAXONOMY TO CLASSIFY DATA . . . .141
CREATINGA CUSTOM TAXONOMYFOR AUTOMATIC CLASSIFICATION. . . .142
ABOUT QUEST SOFTWARE . . . .149
ABOUT QUEST SOFTWARE. . . .150
CONTACTING QUESTSOFTWARE, INC.. . . .150
1
Introduction
• About this Guide
• System Requirements
About this Guide
This document has been prepared to assist you in becoming familiar with Quest One Identity Manager Data Governance Edition — Classification Module.
This document is for network administrators, consultants, analysts, IT professionals responsible for de-ploying Data Governance in their organization, and Web Portal users. It provides typical use cases and step-by-step instructions to help you understand how to use Data Governance to secure the unstruc-tured data in your organization.
This guide is supplemented with the Data Governance Edition Deployment Guide, User Guide, and Quick Start Guide, which provides more detailed information about the Data Governance features, and includes instructions to help administrators perform day-to-day administrative activities.
System Requirements
Review the following section to ensure that your system meets the following minimum requirements for the Classification Module.
Database Server Requirements
• Microsoft SQL Server Standard Edition 2008 Service Pack 3 • Microsoft SQL Server Standard Edition 2008 R2 Service Pack 1
• Microsoft SQL Server 2012 Standard Edition, Service Pack 1 (Compatibility level for databases: SQL Server 2008 (100))
• Oracle database 11g r2 Enterprise Edition version 11.2 (patch level will vary with operating sys-tem platform)
• Microsoft Windows Operating Systems: Windows Server 2003 R2, Windows Server 2008, Win-dows Server 2008 R2 (32 bit or non-Itanium 64 bit), WinWin-dows Server 2012, WinWin-dows Server 2012 R2
• 32 GB RAM minimum (128 GB minimum if classification is enabled)
• In addition to Q1IM Database Server requirements, an additional 30GB per million resources
Classification Server Requirements
• Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
• 500 MB of space required for installation, 200 MB space for logs, plus an additional 2 GB per 1 million resources for data processing
• 8 GB RAM • Quad core CPU • .NET 3.5 or .NET 4.0
Worker Server Requirements
• 8 GB RAM • Quad Core CPU • .NET 3.5 or .NET 4.0
Classification Agent Host Requirements
• Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
• 4GB RAM (if hosting multiple agents, 16GB RAM)
• 100 MB free disk space for every million resources scanned
• 2 GHz or faster x86 or x64 bit processor (if hosting multiple agents, quad core CPU) • .NET 3.5 or .NET 4.0
• Classification enabled local agents are not supported on Windows Server 2003 or Windows Server 2003 R2 operating systems.
• Agents hosts installed on Windows Server 2003 or Windows Server 2003 R2 operating systems are not supported if they are scanning a classification-enabled managed host.
Minimum Required Permissions
The following table lists the required minimum permissions:
Permissions
ACCOUNT PERMISSIONS
Classification Identity All classification services run under this account.
- Local Administrator on the Classification Server and Classi-fication Workers
- Local Administrator on any agent host
- Log On as Service on the Classification Server and Classifi-cation Workers
- Member of Quest QCS Users local group on the Classifica-tion Server and ClassificaClassifica-tion Workers. Note: The group is created and the user is placed in this group automatically during installation. (You should ensure that an existing policy does not change this group.)
When Windows Authentication is selected for database con-nection during the Classification Server installation:
- db_owner for ContentService and TopicService databases - dbcreator role for the installation (this role is needed even if databases are pre-created)
SQL account for database connection for Classification server
When SQL Authentication selected for database connection during the Classification Server installation:
Required Ports
Data Governance Server and Agent
PORT DIRECTION DESCRIPTION
8721 Incoming HTTP protocol. Communication with Data Governance agents.
8722 Incoming TCP protocol. Communication with PowerShell and Quest One Identity Man-ager clients and web server.
8723 Incoming HTTP protocol and REST services. Communication with PowerShell and Quest One Identity Manager clients and web server.
18530 -
18630 Incoming TCP protocol. Communication with Data Governance agents. (Each agent on the same server uses a dynamic port within the range.) 18529 Incoming HTTP protocol. Agents only. Communication with the Classification Server
for processing classification content.
Classification Server
PORT DIRECTION DESCRIPTION
8725 Incoming Apache
HTTPS protocol, REST services. Classification services that supplies classi-fication functionality to all Data Governance required components.
8726 Incoming Message Queue
8727 Incoming Message Queue Management
8728 Incoming Tomcat
Classification Worker
PORT DIRECTION DESCRIPTION
8730 Incoming Worker WCF Host
HTTPS protocol, REST services. Communication with Worker services. 8729 Incoming RuleEngine WCF Host
Performance Calculations
The following performance counters can help you to understand how Classification is affecting your sys-tem’s performance.
Content Provider
COUNTER DESCRIPTION
# assets / sec Number of resource callback requests to the Data Governance agent for content per second.
KB of binary content in / sec
Rate of binary content flowing into the agent for processing into plain text. KB of binary
content out / sec Rate of plain text content flowing out of the agent to the rules engine.
File Handler
COUNTER DESCRIPTION
# assets / sec Rate at which files are queued in the classification system to be processed by the rules engine.
Rule Engine
COUNTER DESCRIPTION
# assets / sec Number of resources being processed by the rule engine.
# matches Total number of rules that matched. Note: This does not mean that a resource was classified.
entity extractor bytes / second
Rate at which the plain text extracted from the resource is being processed. KB plain text
process / sec Rate at which plain text content is examined for rule matches. rules processed /
sec
Rate at which rules are run against plain text content.
Rule Engine Extractors
COUNTER DESCRIPTION
Average
process-ing time Average time it takes for one text extractor to process one resource.
Rule Engine Rules
COUNTER DESCRIPTION
Average pro-cessing time
Adjusting CPU Throttling Levels
Extracting text for the purpose of categorization and classification may cause strain on the agent com-puter’s CPU. To ensure the classification process does not disrupt any other services running on your computer, you can enable CPU throttling. The optimal value depends upon the other services that are running on the agent computer and how much CPU capacity you want dedicated to the classification process.
If the value is set to, for example, 75, the classification agent (the Quest.Titan.Classification.Service process) will not respond to requests from the classification server if the process uses more than 75% of CPU. Setting this value too low will limit the classification process.
To set the throttling value
1. On the agent computer create the "contentRequester" registry key in
[HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\Broadway\Agent\Services\]. 2. Create "cpuUsageThreshold" DWORD value.
3. Set the desired throttling value (for example, 75). 4. Restart the Data Governance service.
Classification Overview
Classification helps you and the security professionals in your organization understand the contents of your unstructured data, thereby ensuring that sensitive NTFS and SharePoint assets are properly se-cured.
More specifically, Quest One Identity Manager Data Governance Edition provides:
• The ability to categorize and classify data from Windows computers, Windows clusters, NetApp® Attached Storage Devices, and SharePoint. Numerous file types can be scanned to provide information on the data in your organization, its content, and the categorization and classification that should be applied based on the automated system.
• Automatic and manual classification: Automatic classification evaluates your documents against a set of rules to automatically apply categories and ultimately classify your data. Man-ual categorization enables the appropriate business owner to control how the data is catego-rized and ultimately classified.
• Data security intelligence and control: Control data access through the automatic governance of data and policies based on classification. Classification also provides details and trends through statistics that identify the cost of data exposures. For example, you can see files lo-cated in a public folder that have been classified or categorized as Secret.
• Business data accountability: Assign data ownership based on classification policies and enable attestations and manual categorization by the business owner to ensure the classifications are valid.
• Classification enforcement: Specify ‘unbreakable’ rules that must be enforced and cannot be overridden.
• The ability to import Titus classification policies into the system. • Classification auditing.
By understanding the contents of a document using categorization, organizations can better secure their NTFS and SharePoint assets. Through both the Manager and the Web Portal, Identity Manager en-ables this by:
• Using an automated categorization engine to process documents and tag them according to defined rules
• Allowing the extension and customization of the automated categorization system
• Having the owner of the asset attest to its proper categorization, providing accountability • Allowing users to override the system to improve the accuracy of the categorization • Creating policies that define access to resource with a particular category
• Identifying violations to these policies, and providing a workflow to resolve them
Identity Manager includes templates to help you to test and understand the classification process. The templates include sample taxonomies, categories, extractors, and rules that can be used for automatic classification.
• Data Governance Sample taxonomy
• Data Governance Payment Card Industry (PCI) taxonomy • Titus Commercial taxonomy
Proper deployment of your classification system requires the coordination of the administrator respon-sible for managing the data that is scanned, the classification analyst responrespon-sible for managing the tax-onomies in the system, the business owners responsible for verifying and managing the categorization of resources, and the security or compliance officer responsible for oversight.
For details on managing your taxonomies and working with classified data, see Configuring Classifica-tion: Taxonomies, Categories, and Rules on page 25 and Working with Categorized Resources on page 87.
Required Components
Categorizing and classifying data through Identity Manager Data Governance Edition requires the installation and configuration of the following components:
• Classification Server includes the services that manage the classification engine repository, the gateway service, and the content service. When a Data Governance agent scans a managed host and recognizes a new resource to be classified, it pushes the data to the Classification server, which queues requests to process data by the Worker Service.
• Classification Worker includes the rules engine and the file and SharePoint handlers. By default one of each is installed, but this can be configured and installed on any number of computers to manage scalability.
The rules engine processes data and looks for matches to the predefined rules. Based on the matches, the Worker service determines whether categories are applied to the resource or not. • Secure Communication
For classification to be applied, Data Governance agents must be able to communicate securely to the Classification Server and Classification Worker. This is accomplished through installing the Classification Server and Classification Worker with an account with the required creden-tials. For details, see Identify the Classification Service Account on page 15.
• Synchronization with the Identity Manager database
When data is classified or assigned a category that has been deemed to cause governance, then the resource is updated and stored in the Identity Manager database.
Component Workflow
Agents discover resources during normal security scanning and notify the Classification Server. The Classification Server adds references to these resources to a queue where at some point a Classification Worker retrieves it for processing. The Classification Worker then retrieves the resource content from the agent and processes it to find any appropriate categorizations.
Workflow Details
The following diagram details the process:
1. During a security scan an agent identifies a file to be classified and notifies the Classification Service.
2. The Classification Service on the agent host computer forwards the request for classification to the Classification Server.
3. The Classification Server posts the resource to be classified onto a queue for processing. 4. One of the Classification Workers retrieves the resource to be classified from the queue and
begins the classification process.
5. A request for the resource content is dispatched to the Classification Service on the agent host for the agent responsible for this resource.
6. The Classification Service proxies this request to the proper agent scanning the target host. 7. The agent retrieves the content and streams it back to the Classification Service.
8. The Classification Service returns the content to the Classification Worker for processing. 9. All standard Classification/Categorization processing occurs and the results are written to the
Classification Database and the Data Governance Server is notified.
Activating Classification
The following processes are required for a fully functional Classification module deployment: • Install the Classification package on the Data Governance server.
• Enable the Classification component in the Designer and recompile the database. • Identify the Service Account that will be used for securing the classification services. • Deploy a Classification server.
• Deploy Classification worker.
• Enable Classification on the required managed hosts.
• Configure Security Index roots where classification should be enabled.
• Ensure that you have applied the correct application roles for classification analysts, business owners, compliance officers, and Data Governance administrators.
Install the Classification Components
The Classification package obtained through the download contains all the files required to add the Classification functionality to your Quest One Identity Manager Data Governance Edition deployment.
To install Classification extension
• Run the DataGovernance_ServerComponentsInstaller_x64.msi to install the files on the Data Governance server to make it ready for a Classification deployment.
Enable Classification in the Designer
The Classification component, which is located under TargetSystem\ADS\QAM, must be enabled in the Designer and the database recompiled. You can locate this option by selecting to Edit configuration pa-rameters.
To recompile database
1. Click the Database menu and choose Compile database. 2. Follow the steps of the Database Compiler.
Once you have completed this process, a Classification node will be available in the Data Gov-ernance navigation view of the Manager/Identity Manager application. From here, you can manage your Classification deployment.
Identify the Classification Service Account
Network communication between the Data Governance Edition agents and server and the Classification components is all performed using REST services over HTTPS channels. By default the HTTPS channels are secured using a self-signed certificate, but customers can provide their own certificate.
Communication is further secured using a trusted subsystem security model. Before any Classification components can be deployed, one of the Data Governance Edition service accounts must be identified as the “Classification Identity”. When the Classification components are deployed they are configured to run as this identity. All communication related to classification will be performed using this identity.
To identify a service account as the Classification Identity
1. In the Manager/Identity Manager select the Data Governance navigation view and select Ser-vice accounts.
2. In the Results list, double-click the required service account.
From the service account overview, you can view the domains associated with the selected ser-vice account.
3. From the Tasks view, select Change master data.
4. Select the Classification Identity check box, and click Save.
If the administrator changes the classification service account for any reason, all of the deployed ser-vices will need to be changed manually to use the new classification service account. To do this, you must go to every instance of a Classification server, Worker server, or Classification agent and ensure that they are logged on using the new service account credentials.
To update the Classification Identity account
1. Log on to the computer where the Classification Server is installed.
2. Open Services, locate the Quest QCS Apache and Quest QCS Tomcat x64 services, right-click and select Properties.
3. Select the Log On tab, select the Account and enter the password and click OK. 4. Log on to the computer where the Worker server is installed.
5. Open Services, locate the Quest QCS Worker and Quest QCS Rule Engine services, right-click and select Properties.
6. Select the Log On tab, select the Account and enter the password and click OK. 7. Log on to all managed hosts with classification enabled.
8. Open Services, locate the Quest One Identity Manager Data Governance Classification Agent Service, right-click and select Properties.
Deploy the Classification Server
The Classification Server can be installed on the same computer where the Data Governance Server is installed. However, for load balancing it is recommended to install the Data Governance and Classifica-tion Server on different computers and deploy ClassificaClassifica-tion Workers as required.
To deploy the Classification Server
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select Configuration.
2. Click Deploy to add the Classification server.
A check will be made to ensure that a service account has been identified as the classification service account.
3. If you are using SQL, specify the database to use by selecting it from the list of available serv-ers, and enter the Content and Topic databases to use and click Next. Select the required au-thentication method and associated credentials, and click Next.
-OR-If you are using Oracle, the available database will be listed for you. Enter the Service name, the Username and Password for the Content and Topic databases, and click Next.
The Classification server will now be deployed with the specified configuration.
The Classification server requires 500 MB of space for installation, 200 MB space for logs, plus an additional 2 GB per 1 million resources for data processing.
If you are using an Oracle database:
You need to create the required tablespaces before installing the Classification server. You must also ensure that the Classification server has the ADO client for Oracle (32bit version of ODP.Net) installed. Supported versions include ODAC 11.2 Release 3 or higher. For details, see Using an Oracle Database for Classification on page 104.
The database instance where your tablespaces for the Classification databases reside must have AL32UTF8 specified for the default character set, and the national character set must be set to UTF-8. These setting are required by the Classification server. This must be done when the instance is created, before the tablespaces are created and the Classification server is de-ployed.
To locate the Service name, run the following cmd on the Oracle DB server: lsnrctl status.
Upgrading the Classification Server
To upgrade a Classification Server
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see all the currently deployed Classification Server and Workers.
2. Click Upgrade. 3. Click Next to proceed.
4. If you are using SQL, specify the database to use by selecting it from the list of available serv-ers.
-OR-If you are using Oracle, the available server will be listed for you. 5. Enter the database credentials and click Next.
6. Click Finish.
Removing the Classification Server
To remove a Classification Server
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers.
2. Click Remove.
3. Click Yes to confirm the removal.
Deploy Classification Workers
To add a Classification Worker
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers.
2. Select Add Classification Worker from the Tasks view.
You can deploy one worker per computer and the computer must be in a managed domain.
Existing taxonomies are unaffected by a server upgrade.
If you have a custom Classification Server deployment (created with PowerShell and non-de-fault parameters), you will need to use PowerShell (Deploy-QClassificationServer) to upgrade the server.
3. Select the computer where you want to add the server, and click Deploy. 4. Click Close.
Removing a Classification Worker
To remove a Classification Worker
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see the currently deployed Classification Server and Workers.
2. Select the required Classification Worker, and select Remove from the Tasks view. 3. Click Yes to remove the Classification Worker from the deployment.
When you remove the worker, the rules engine for classifying data will no longer be processed on this computer.
Upgrading a Classification Worker
To upgrade a Classification Worker
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select the Configuration node.
From here you will see all the currently deployed workers. If a newer version is available, you will need to perform an upgrade.
2. Select the desired Classification Workers, and right-click and select Upgrade. 3. Click Yes to confirm the upgrade.
4. Click Close once the upgrade is complete.
At least one Classification Worker must deployed in the environment. You can add more work-ers, as required, to improve performance.
You can also deploy a worker with the Deploy-QClassificationWorker command.
Enable and Disable Automatic Classification on
Specific Managed Hosts
Data Governance allows for both automatic and manual classification of resources.
Automatic classification refers to the process by which a resource is categorized according to defined rules. This is enabled on a per managed host basis to ensure that target computers containing poten-tially sensitive data are processed while maintaining a reasonable amount of network traffic.
Manual classification refers to assigning a resource to a given taxonomy and category. This is per-formed within the Web Portal by the business owner. Manual classification overrides automatic classifi-cation.
There may be a time lapse between when the business owner is able to manually classify data in the Web Portal and when the resources marked for automatic classification in the Manager are processed. If the business owner categorizes a resource prior to the processing, they will be able to eventually see the automatic processing results and make adjustments where required within the Web Portal. For details on managing your classified resources, see Classifying Resources on page 78.
Automatic classification can be enabled when you add a managed host to the Data Governance deploy-ment or at a later date.
To enable automatic classification on currently deployed managed hosts
1. In the Manager/Identity Manager select the Data Governance navigation view and select Man-aged hosts.
2. Select the required managed host in the Managed host tab, and select Change master data in the Tasks view.
3. Select the Classification tab and check Enable automatic classification.
Enabling Categorization on Folders (Security Index Roots)
Before data can be processed and classified, the folders that contain the data must be specified. This is accomplished through the security index root configuration.
A security index root is the root of an NTFS directory tree to be scanned by an agent, or a point in your SharePoint farm hierarchy below which everything is scanned.
To enable classification on folders and their contents
1. In the Manager/Identity Manager select the Data Governance navigation view and select Man-aged hosts.
2. Select a managed host in the Managed host tab, and select Change master data in the Tasks view.
3. Select the Security Index Roots tab.
4. Select Configure security index roots from the Tasks view.
5. Choose the directory to be scanned and the required agent, enable Classification where re-quired, and click OK.
Managing the File Types to be Classified
To reduce the amount of network traffic and expedite the process of classifying only the data that is of interest to you, you can easily configure the scans to focus on specific types of data.
The following data types are enabled for classification by default.
If you change the file types to be processed for classification from the web portal you must re-start the agent for the changes to take effect.
If you exclude a file type for resources that were previously classified, these resources will con-tinue to be sent for classification if you trigger a full request for re-classification using PowerShell.
File extensions included by default
FORMAT APPLICATION (EXTENSION)
Archive 7-Zip (7Z)
GZIP (GZ) PKZIP (Zip) RAR archive (RAR) WINZIP (ZIP)
CAD Microsoft Visio (VSD,VSS,VTS)
Display Adobe PDF (pdf)
Mail Microsoft Outlook (MSG,OFT)
Microsoft Outlook Offline Storage File (OST) Microsoft Outlook Personal Folder(PST)
Presentation Microsoft PowerPoint (PPT,PPS,POT)
Microsoft PowerPoint Windows (PPT,PPS,POT) Microsoft PowerPoint Windows
XML(PPTX,PPTM,POTX,POTM,PPSX,PPSM)
OASIS Open Document Format (SXD,SXI,ODG,ODP) OpenOffice Impress (SXI,SXP,ODP)
StarOffice Impress (SXI,SXP,ODP)
Spreadsheet Comma Separated Values (CSV)
Microsoft Excel Charts (XLS) Microsoft Excel Macintosh (XLS)
Microsoft Excel Windows (XLS,XLW,XLT,XLA)
Microsoft Excel Windows XML (XLSX,XLTX,XLSM,XLTM,XLAM) OASIS Open Document Format (ODS,SXC,STC)
OpenOffice Calc (SXC,ODS,OTS) StarOffice Calc (SXC,ODS)
Text and Markup ANSI(TXT)
ASCII (TXT) HTML (HTM)
Microsoft Excel Windows XML (XML) Microsoft Word Windows XML (XML) Rich Text Format (RTF)
To manage the files to be considered for classification
1. In the Manager/Identity Manager select the Data Governance navigation view, expand the Classification node, and select File Types.
You will see a list of file types currently being assessed during agent scans.
2. Use the arrows to add and remove the file types that you want scanned and click Save.
Starting Initial Classification
For locally managed hosts, you must restart an agent for the classification process to take effect when you enable classification on an existing security index root. When you add a new security index root and enable classification, a restart is not required.
For remotely managed hosts and Sharepoint managed hosts, you must also have the “Immediately scan on agent restart option” enabled for the classification process to take effect. Classification will happen on the next scan after the automatic classification was enabled.
To restart an agent
1. In the Manager/Identity Manager select the Data Governance navigation view, and select the Agents View.
2. Select the required agents in the Agents view tab, and select Restart agent in the Tasks view. 3. Click Yes to confirm.
Word Processing Microsoft Word Macintosh (DOC)
Microsoft Word Macintosh (DOT) Microsoft Word PC (DOC) Microsoft Word Windows (DOC) Microsoft Word Windows (DOT) Microsoft Word Windows XML (DOCM) Microsoft Word Windows XML (DOCX) Microsoft Word Windows XML (DOTX) Microsoft Word Windows XML (DOTM) WordPad (RTF)
Ensure that the enabled file type extensions have not been explicitly excluded from agent scans. For details, see Managing Exclusions in the Data Governance Edition User Guide.
When a Data Governance agent is restarted, it re-creates all information within its local index. The server index is updated when the full scan completes. Local managed hosts/agents will al-ways scan on restart and rebuild the index - all other types of hosts require the Immediately scan on agent restart option enabled in the Master data form | Scanning Schedule tab (in or-der to scan on restart).
File extensions included by default
Upgrade an Agent for Classification
To upgrade an agent
• In the Manager/Identity Manager select the Data Governance navigation view, select the Agents View, right-click the agent, and choose Upgrade agent. Note: You can multi-select agents to upgrade.
-OR-
In the Manager/Identity Manager select the Data Governance navigation view, select the Man-aged hosts node, right-click the manMan-aged host, and choose Upgrade agent. Note: You can multi-select managed hosts to upgrade.
Re-classify Data
Using PowerShell you can cause an immediate re-classification of all NTFS and SharePoint data for all of the managed hosts within your environment or on only selected data. For details, see Re-classifying Data on page 96.
Classification Application Roles
The following application roles are specifically for Classification functionality. They are to be used in conjunction with Quest One Identity Manager and Data Governance specific application roles. For de-tails on applying application roles, see the Quest One Identity Manager Getting Started Guide and the Data Governance Edition User Guide.
Administrators
Employees assigned this role are responsible for the care and maintenance of the Data Governance Edi-tion deployment including the ClassificaEdi-tion services. This Employee uses the administraEdi-tion tools (Manager/Identity Manager) to ensure the Business Owners, Classification Analyst, and Compliance Of-ficers have access to all required information through the web portal.
An agent upgrade may initiate a re-scan of the security index root.
When you upgrade an agent on a computer that hosts multiple agents that are scanning differ-ent managed hosts, the agdiffer-ent services will be upgraded for all the managed hosts the agdiffer-ent host computer is scanning.
In the case where you have multiple agents on different computers scanning different security index roots on a single managed host, and you select to upgrade one of the agents through the Agents view, all the agents on all computers scanning that host will be upgraded.
Members of this role can:
• Manage the Classification infrastructure and services using the Manager. • Configure the file extensions that will be classified by the automated system. • Modify taxonomy structures, as well as any category properties.
• Manage the categorizations of any resource, regardless of ownership.
• Manage the automated classification and categorizations, including rules and category associ-ations.
• Create and manage rules and text extractors used by the automated system.
• Run PowerShell commands to manage taxonomies and analyze the classification environment.
Classification Analyst
Employees assigned this role are responsible for implementing classification, taxonomies, and rules and managing the automated system as designed by the business. This employee uses the web portal to modify rules, troubleshoot categorizations, view classified resources across the entire deployment, and manage taxonomies.
Members of this role can:
• Configure file extensions that will be classified by the automated system using the web portal. • Modify taxonomy structures and category properties.
• Manage the categorizations of any resource regardless of ownership.
• Manage the automated classification and categorization, including rules and category associa-tions.
• Create and manage rules and text extractors used by the automated system.
• Run PowerShell commands to manage taxonomies and analyze the classification environment.
Compliance and Security Officer
Employees assigned this role are responsible for over seeing the Classification deployment and ensur-ing security requirements are met as defined by the organization. They are responsible for reviewensur-ing classified resources across the system regardless of ownership.
Members of this role can:
• View all taxonomy structures and category properties and settings through the web portal. • View all classifications and categorizations of all resources in the system, regardless of
owner-ship.
Business Owner
Employees assigned this role are responsible, through the web portal, for managing and attesting to the classification of resources that they own.
Members of this role can:
• Manage the categorizations of their owned resources. • Read all classifications on their owned resources.
To assign application roles
1. In the Quest One Identity Manager Navigation view, select Employees. 2. In the Results list, select the required employee.
3. In the Task view, select Assign Identity Manager application roles. 4. Apply the required application role, and save your changes.
Troubleshooting the Classification Deployment
There are a number of PowerShell commands available to help you examine your environment and troubleshoot any issues with it. For details, see Appendix A: PowerShell Commands on page 93.
Gather Diagnostic Information on the Classification Server and
Workers
The Get-QCSSupportBundle command gathers Classification system information (such as Classification services status, Classification system configuration, event bus configuration/queue size, log files, and registered services) and Windows system information (such as environment variables, installed ser-vices, logical disk, memory cache, memory deser-vices, network adapters, operating system, page file us-age, processor information, running processes, and Windows event logs.)
Review Deployed Classification Workers
You can use the Get-QWorkerServers command to view a list of computers hosting your worker servers to help you troubleshoot connection or other issues. You can also confirm that the proper version of the classification worker is installed.
Review the Classification Service
If your classification service is not functioning properly, you can use the Get-QServiceInfo command to troubleshoot the issue. You can use this command to:
• Ensure that the version of the classification server matches the version the Data Governance server expects. If the versions do not match, the system will not work properly.
• Get information about the account used by the classification service.
• Get information about the identity used to communicate with the DGE server. Use this to en-sure the expected user is accessing the classification service.
• Determine of the services required for classification are running (FileHandler and SharePoint handler)
3
Configuring Classification:
Taxonomies, Categories, and
Rules
• An Overview of Classification Configuration
• Steps Required to Implement Classification
• Creating Taxonomies
• Implementing Rules for Automated Categorization
• Testing and Reviewing Automated Classification
An Overview of Classification Configuration
Categorization is intended to provide information about your data that can help you better understand the state of your environment, and secure information based on an understanding of a resource’s con-tent. The end result of classification is a relationship between a resource and a particular category. In order for categorization to have value in your organization, the category must tell you something spe-cific about the resource, and you must have confidence that system is applying these categories accu-rately.
By working with the components of the classification system, and using a combination of automatically and manually applied categories, you can refine the system. The following outlines the components of the system and other necessary concepts:
Components of the Classification System
COMPONENT DESCRIPTION
Resource The NTFS or SharePoint object that is being categorized.
Taxonomy A hierarchical group of categories. For more information, see Working with Taxonomies on page 28.
Category A well-defined division in the classification system. By associ-ating rules with the category, it can be determined if a given resource belongs to that category. For more information, see How Rules Affect Categorization on page 44.
Rule A rule sets the criteria for categorization. More than one rule can be assigned to a category. For more information, see Implementing Rules for Automated Categorization on page 43.
Rule Engine Processes a resources extracted text and identifies all rele-vant entities (such as names, addresses and so on), runs all rules to determine rule matches, and where appropriate, assigns a category to the resource.
Categorization A relationship between a resource and a category. This rela-tionship can be created manually, or as a result of passing the rules associated with the category.
Steps Required to Implement Classification
Proper deployment of your classification system requires the coordination of the administrator respon-sible for managing the data that is scanned or monitored, the classification analyst responrespon-sible for managing the taxonomies in the system, the business owners responsible for verifying and managing the categorization of resources, and the security or compliance officer responsible for oversight. You should also consider how you plan to make changes over time. See Managing the Life Cycle of Taxono-mies and Categories on page 82.
The following steps are required before you set up classification:
1. Activate classification in your deployment. For details, see Activating Classification on page 14. 2. Set up scanning and change watching for classification on your servers. For details, see Enable
and Disable Automatic Classification on Specific Managed Hosts on page 19.
Automatic Categorization
The following steps are required for categorization:
1. Gather categorization and classification requirements.
2. Plan the required taxonomy and categories structure to meet your requirements.
3. Plan the text extractor patterns and rules. For details, see Implementing Rules for Automated Categorization on page 43.
4. Create the text extractors that will be used to match a resource’s text. (For example, find a letter combination based on a regular expression). For details, see Working with Text Extractors on page 56.
5. Create and enable rules to define the categorization criteria. (For example, two text extractors should be found within 200 characters of each other.) For details, see Managing Rules in the Classification System on page 48.
6. Create and configure the required taxonomy. For details, see Working with Taxonomies on page 28.
7. Create and configure the required categories. For details, see Working with Categories on page 34.
8. Associate the required rules with each category. For details, see Associating Rules to Categories and Applying Rule Weights on page 53
9. Test the rules and categories to ensure they accomplish the desired results. For details, see Testing and Reviewing Automated Classification on page 71.
10. Make categories available for automated categorization. For details, see Making a Category Available to the Classification System on page 77.
11. Test the classification system to ensure the desired results are achieved.
For an example walkthrough, see Appendix D: Creating a Taxonomy to Classify Data on page 141.
Manual Categorization
The following steps are required for categorization:
1. Gather categorization and classification requirements.
2. Plan the required taxonomy and categories structure to meet your requirements.
3. Create and configure the required taxonomy. For details, see Working with Taxonomies on page 28.
4. Create the required categories. For details, see Working with Categories on page 34 5. Make the taxonomy available for manual categorization by publishing the taxonomy tree.
Creating Taxonomies
Careful planning and coordination is required to get the most out of classification in Quest One Identity Manager Data Governance Edition. Ideally, one or more well-organized taxonomies will be de-ployed in your organization, and used to categorize resources of interest.
A taxonomy is a set of related categories, organized as a tree structure. The top node represents the taxonomy as a whole, and each branch is a category.
All categories in a taxonomy should be related in some way. Create a separate taxonomy for each re-lated set of categories. This makes it easier for users to understand their resources’ categorization.
To view the taxonomies in your environment using the web portal
• Select Governed Data | Categorization Manager | Taxonomies.
To view all taxonomies in your environment using PowerShell
• Run the Get-QTaxonomies command with the following mandatory parameter: a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. Enter in the form computername:port number. The default port is 8723.
Working with Taxonomies
Using the Web Portal or Quest.Classification PowerShell snap in, you can create, edit, and import taxon-omies. See Taxonomy Deployment Considerations on page 82 before publishing any taxonomies in your production environment.
You can work with taxonomies using the following methods: • Web Portal, under the Governed Data Node
• Powershell snap-in (see Adding the PowerShell Snap-ins on page 94)
Creating a Taxonomy
When you create a taxonomy, you are providing the base for the category tree, as well as creating a category that could be applied to resources. For example, if you are creating a PHI taxonomy, you will then add categories to it to create the desired taxonomy. However, you can assign rules to the top level node, PHI, for it to be used in automated categorization, or you can make it available for manual cate-gorization. There are a number of parameters associated with a category. See Working with
Categories on page 34 for more information. These parameters only affect the use of the top node of the taxonomy tree applied as a category, and do not apply to the taxonomy as a whole. For example, when you select Publish this category, it does not make the entire taxonomy available, only the top node.
To create a taxonomy using the web portal
1. Select Governed Data | Categorization Manager | Taxonomies. 2. Click Create new taxonomy.
3. Provide a name for the taxonomy.
The name will appear anywhere the taxonomy is shown.
4. Enter an optional description.
The description appears in the list of taxonomies on the Manage Taxonomies page.
5. Modify any of the category parameters. See Working with Categories on page 34 for more in-formation.
6. Click Save.
The Edit Taxonomy dialog box opens. You can either add categories now, or click OK to com-plete the creation of the taxonomy. For more details, see Creating a Category on page 36,
Editing Category Settings on page 39 and Deleting a Category on page 43.
To create a taxonomy using PowerShell
1. Run the Add-QTaxonomy command with the following mandatory parameters: a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) Name
The name will appear anywhere the taxonomy is shown.
2. If desired, you can set any of the following optional parameters: a) Description
The description appears in the list of taxonomies on the Manage Taxonomies page.
b) Category parameters: Risk, CausesGovernance, IsPublished, IsAutomaticClassificationEn-abled, IsMutuallyExclusive, IsStrictlyOrdered.
By default, the risk is set to 0, and all other parameters are set to $false. The threshold is set to 1. For more information on setting the parameters on a category, see Working with Categories on page 34.
Importing and Replacing Taxonomies
Depending on the state of the taxonomy within your deployment, you will be able to perform one of the following:
• Import a new taxonomy into your deployment • Replace an existing taxonomy in your deployment
Importing Taxonomies
By default, when you import a new taxonomy it will be unpublished. Before you can begin to classify your resources based on the categories contained within it, you will need to set the required settings through the Categorization Manager. From here, you can adjust the associated risk level, whether you want to publish the taxonomy so that it is available to the business owner, whether to have the system automatically classify your resources based on the rules within the taxonomy, and whether the catego-rization should cause governance of the resource.
You may want to import the taxonomy into a test environment first to ensure that it meets your needs and assess the rules contained within it.
If you are confident that the taxonomy and/or category will suit your needs as is, you can publish all in a single operation. Remember that once published, it will be available to business owners and the clas-sification system. For details, see Publish All Categories at Once on page 42.
To import a taxonomy with the web portal
1. Select Governed Data | Categorization Manager | Taxonomies. 2. Click View Catalog.
A list of available taxonomies (both those currently in place in your environment and those that are available for import) will display.
3. Select the taxonomies that you want to import into your system and click Import.
You must select one taxonomy at a time and wait for it to complete before you can select an-other one.
The time required to import a taxonomy is dependant upon its size and complexity.
4. Once the import is complete, click Back to Categorization Manager or select the Taxono-mies tab in the Categorization Manager and click Edit next to the taxonomy to adjust its set-tings and add and remove categories as required.
For more details, see Creating a Category on page 36, Editing Category Settings on page 39
and Deleting a Category on page 43.
To import a taxonomy with PowerShell
• Run the Import-QTaxonomyByName command with the following parameters: a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) TaxonomyName
Replacing a Taxonomy
Because rules and text extractors can be shared across multiple taxonomies, a replacement could have immediate and significant impact on existing categorizations.
When you replace a taxonomy, all of the selected taxonomy’s categories, rules, text extractors, and all associated settings are applied to the existing taxonomy. The following are exceptions to this:
• Any categories, rules, or text extractors added to a taxonomy in the environment will not be deleted or modified by the replace process.
• Settings related to how the category functions within the Classification System such as publish, risk, and causes governance will not be altered.
• If new categories were added to a taxonomy that affected the threshold and weights for the parent category, a manual adjustment may be required after the replacement to ensure that the threshold calculation continues to have a sensible result.
To replace a taxonomy with the web portal
1. Select Governed Data | Categorization Manager | Taxonomies. 2. Click View Catalog.
A list of available taxonomies will display.
3. Select the required taxonomy and click Replace.
You must select one taxonomy at a time and wait for it to complete before you can select an-other one.
The time required to replace a taxonomy is dependant upon its size and complexity.
4. Once the replace is complete, click Back to Categorization Manager or select the Taxono-mies tab in the Categorization Manager and click Edit next to the taxonomy to adjust its set-tings and add and remove categories as required
For more details, see Editing Category Settings on page 39.
To replace a taxonomy with PowerShell
• Run the Import-QTaxonomyByName command with the following parameters: a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) TaxonomyName
Provide the name of the taxonomy. The available taxonomies for import can be found by running the Get-QImportableTaxonomies command.
c) Replace
Set this to $true to replace the taxonomy.
Editing a Taxonomy
You can change the name and description of a taxonomy. If you plan to apply the top node of a taxon-omy as a category, you may want to change the category parameters. For more information, see Editing Category Settings on page 39.
To edit the name and description of a taxonomy using the web portal
1. Select Governed Data | Categorization Manager |Taxonomies. 2. Locate the row containing the taxonomy, and click Edit.
3. Select the top node of the tree, and click Edit. 4. Modify the name and description.
5. Click Apply Changes.
You can change any of the category parameters as well. For details, see Working with Categories on page 34.
To edit the name and description of a taxonomy using PowerShell
1. If you do not know the required taxonomy ID, run the Get-QTaxonomies command, using the following mandatory parameter:
a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) Locate your desired taxonomy, and note or copy the taxonomy ID. 2. Run the Set-QTaxonomy command, with the following parameters:
a) ServerAddress (mandatory)
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) TaxonomyID (mandatory)
The ID of the taxonomy you want to change.
c) Name (optional)
The new name of the taxonomy.
d) Description (optional)
The updated description of the taxonomy.
You can change any of the category parameters as well. For details, see Working with Categories on page 34.
Deleting a Taxonomy
If a taxonomy has been in use, you should use extreme care deleting it. When you delete a taxonomy: • All categories in the taxonomy will be deleted.
• If resources were categorized using any category in the taxonomy, the association will be re-moved.
• Any policy that included a category from the taxonomy may no longer have the expected re-sults.
• Attestations involving any category from the taxonomy may no longer work. • Reports will no longer include data about any category in this taxonomy.
To delete a taxonomy using the web portal
1. Select Governed Data | Categorization Manager | Taxonomies. 2. Locate the row containing the taxonomy, and click Delete.
3. In the confirmation dialog box, select the I still want to delete this taxonomy check box. 4. Click Delete Taxonomy.
To delete a taxonomy using PowerShell
1. Make sure you know the ID of the taxonomy. For more information, see Finding a Taxonomy, Category, or Extractor ID using PowerShell on page 94.
2. Run the Remove-QTaxonomy command with the following mandatory parameters: a) ServerAddress (mandatory)
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
b) TaxonomyID (mandatory)
The ID of the taxonomy you want to delete.
3. Press enter to confirm the deletion.
Exporting Taxonomies
Exporting allows you to move taxonomies between environments, distribute custom taxonomies, and create backups. For example, if you maintain a development environment, you can export from your development environment and import to your production environment.
Taxonomies consist of categories, which are associated with rules, which in turn may refer to text ex-tractors. All components will be included in the exported taxonomy and a publisher, if it does not cur-rently exist, will be applied. The publisher will help you to identify taxonomies that you have created for your organization or for distribution.
To export a taxonomy using the web portal
1. Select Governed Data | Categorization Manager |Taxonomies. 2. Locate the row containing the taxonomy, and click Export.
3. Enter the publisher and click Export.
The publisher will help to identify taxonomies, categories, rules, or text extractors that you have created and plan to distribute or backup. Note: The publisher will be applied to any cat-egories, rules, and text extractors that do not have an existing publisher.
4. Close the export dialog box and download and save the taxonomy template xml file with your browser to your preferred location.
The taxonomy is now available to be distributed. Whether it will be imported or upgraded de-pends on if it is currently deployed in the target environment. For information on importing see
Importing and Replacing Taxonomies on page 29.
To export a taxonomy using PowerShell
1. Determine the ID of the taxonomy you want to export.
See Finding a Taxonomy, Category, or Extractor ID using PowerShell on page 94 for details.
2. Run the Export-QTaxonomy command with the following mandatory parameters: a) ServerAddress
Provide the name of the computer hosting the Data Governance server, and the port. En-ter in the form compuEn-tername:port number. The default port is 8723.
If a publisher does not currently exist, you can supply one.
The publisher will help to identify taxonomies, categories, rules, or text extractors that you have created and plan to distribute or backup. Note: The publisher will be applied to any categories, rules, and text extractors that do not have an existing publisher.
3. If desired, you can set the following optional parameter: a) OutputFile
Provide the path to a file to store the template XML.
The taxonomy will be output to the screen if you omit this step.
Working with Categories
The proper configuration of a category is integral to a properly working system. Categories should be created and refined in test mode, and published when they are ready to be used in your production en-vironment. Deployments of categories should be properly managed. See Managing the Life Cycle of Ta-xonomies and Categories on page 82 for more information.
You can work with categories using the following methods: • Web Portal, under the Governed Data node
• Powershell snap-in (see Adding the PowerShell Snap-ins on page 94)
Each category has a number of settings, which have an impact on the category’s behavior. In the table below, the parameter in brackets is the PowerShell equivalent of the setting in the Web Portal.
You can quickly view all the settings applied to a category through the Categorization Manager to better understand your deployment. Simply select the category of interest to see its current settings.
Category Parameters (PowerShell equivalent in brackets)
SETTING Category Risk (Risk)
Indicates the relative risk of the category. This is then used to determine how a resource is classified. For more informa-tion, see Classifying Resources on page 78.
Publish this category (IsPublished)
Makes a category available for manual categorization. You must also enable this for automation to work. Publish a cate-gory only when you are ready for business owners to have access to it.
A subcategory must have a published parent category. If you publish a subcategory, and the parent is unpublished, the action is ignored.
Allow this category to be used by the automated system
(IsAutomaticClassificationEnabled)
You can make a category available to the classification sys-tem. Automated categorization is based on the rules associ-ated with the category, so you should associate rules and test the category before automating it.
