Data Governance Edition
Data Governance Quick Start Guide
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND
CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters
LEGAL Dept 5 Polaris Way
Aliso Viejo, CA 92656 email: [email protected]
Refer to our Web site (www.quest.com) for regional and international office information. Trademarks
Quest, Quest Software, the Quest Software logo, and Simplicity at Work are trademarks of Quest Software and its subsidiaries. See http://www.quest.com/legal/trademarks.aspx for a complete list of Quest Software’s trademarks. Other trademarks are property of their respective owners.
Quest One Identity Manager Data Governance Edition - Data Governance Quick Start Guide Updated - August 2012
Software Version - 6.0
Third Party Contributions
Quest One Identity Manager contains some third party components (listed below). Copies of their li-censes may be found at http://www.quest.com/legal/third-party-licenses.aspx.
COMPONENT LICENSE OR ACKNOWLEDGEMENT
Boost 1.34.1 Boost Software License - Version 1.0 - August 17th, 2003
.NET logging library 1.0 Copyright © 1979-1994, The Regents of the University of California. All rights reserved. BSD 4.4 License.
ZLib.NET License notice
Copyright (c) 2006, ComponentAce http://www.componentace.com All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the fol-lowing disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of ComponentAce nor the names of its contributors may be used to endorse or pro-mote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDEN-TAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO-CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Google Open Sans 1.0 Copyright © January 2004 (http://www.apache.org/licences). Apache 2.0 License.
JQuery 1.7.1 Copyright © 2011, John Resig. MIT License.
JQuery UI 1.8.20 Copyright © 2011, John Resig. MIT License.
Mono.Security 2.0.3600.1 Copyright © 2004 Novell, Inc. (http://www.novell.com). MIT License. Novell.Directory.LDAP 2.1.9.0 Copyright © 2003 Novell, Inc. (http://www.novell.com). MIT License. SharpZipLib 0.85.4.369 Copyright © 2001-2007 Mike Krueger, John Reilly. SharpZipLib
License.
spin.js 1.2.2 Copyright © 2011 Felix Gnass [fgnass at neteye dot de]. MIT License. Windows Installer XML toolset
(aka WIX) 3.5.2519.0 Common Public License 1.0
ZLib.NET 1.0.3 Copyright © 2006, ComponentAce (http://www.componentace.com). All rights reserved.
CHAPTER 1
INTRODUCTION . . . .7
ABOUTTHIS GUIDE. . . 8
SYSTEM REQUIREMENTS . . . 9
DEPLOYMENT OVERVIEW. . . 11
READY SERVICE ACCOUNTSAND MANAGED DOMAINS FOR DEPLOYMENT . . . 12
CONFIGURE MANAGED HOSTS . . . 13
LOCALAND REMOTE AGENTS . . . 13
CONFIGURATION OPTIONS. . . 13
ADDING MANAGED HOSTS. . . 14
ADDING SHAREPOINT MANAGED HOSTS . . . 15
ADDING NETAPP ATTACHED STORAGE DEVICE, EMC CELERRA STORAGE DEVICE, OR CLUSTER MANAGED HOSTS. . . 16
VERIFY MANAGED HOSTS SYSTEM STATUS. . . 17
DATA GOVERNANCE OVERVIEW. . . 18
QUEST ONE IDENTITY MANAGER TOOLS USEDTO GOVERN DATA . . . 19
IDENTIFYING DATATOBE GOVERNED. . . 20
CHAPTER 2 STEP-BY-STEP WALKTHROUGHS . . . .23
PERSONAS . . . 24
COMPARE ACCOUNT ACCESSAND PERFORM GROUP MEMBERSHIP SIMULATIONS . . . 24
ESTABLISH DATA OWNERSHIP . . . 27
GOVERN DATA. . . 28
CREATEAN ACCESS POLICY. . . 29
WORK WITH GOVERNED DATATHROUGH DASHBOARDS AND VIEWS. . . 33
REQUEST DATA ACCESS THROUGHTHE IT SHOP . . . 37
PERFORMAN ATTESTATION REVIEWOF DATA OWNERSHIPAND SECURITY . . . 43
SUBSCRIBETO ACTIVITYAND ACCESS REPORTS. . . 48
CHAPTER 3 ABOUT QUEST SOFTWARE . . . .53
ABOUT QUEST SOFTWARE. . . 54
CONTACTING QUESTSOFTWARE, INC.. . . 54
CONTACTING QUEST SUPPORT . . . 54
GLOSSARY . . . .55
1
Introduction
• About this Guide
• System Requirements
• Deployment Overview
About this Guide
This document has been prepared to assist you in becoming familiar with Data Governance, an integral component of Quest One Identity Manager Data Governance Edition.
This document is for network administrators, consultants, analysts, IT professionals responsible for de-ploying Data Governance in their organization, and Web Portal users. It provides typical use cases and step-by-step instructions to help you understand how to use Data Governance to secure the unstruc-tured data in your organization.
The Data Governance Edition Quick Start Guide is supplemented with the Data Governance Edition User Guide, which provides more detailed information about the Data Governance features, and includes in-structions to help administrators perform day-to-day administrative activities.
System Requirements
Review the following section to ensure that your system meets the following minimum requirements.
Data Governance Server
System Requirements:
• Windows Server 2003, Windows Server 2003 (R2), Windows Server 2008, Windows Server 2008 (R2), Windows SQL Server 2008 (R2) (64 bit non-Itanium)
• quad core CPU
• 1024x 768 screen resolution with 16-bit color • 100 GB free disk space
• 16 GB RAM Software Requirements:
• .Net 3.5 Service Pack 1 or later
• Microsoft SQL Server Enterprise Edition 2008 Service Pack 3 or later, Microsoft SQL Server En-terprise Edition 2008 R2 Service Pack 1 or later (compatibility level: 10)
• Oracle database 11g r2 Enterprise Edition version 11.2 and higher (patch level will vary with operating system platform).
Account Requirements:
• You must be an administrator of the computer on which you are installing the Data Governance Server.
• You must have the credentials of an account that can be used to create a database on the SQL server being used by the Data Governance Server.
• You must have the credentials of an account that can be used as a Service Account for your managed domains.
• For both the Web Portal and the Data Governance front ends, users must be logged in with an Active Directory user account from an Active Directory domain that's in the Identity Manager database.
For complete Quest One Identity Manager system requirements (including those required for the client and the Web Portal), see the Quest One Identity Manager Release Notes.
To configure a Data Governance server, the user must belong to the Administrators group of the computer hosting the server.
Quest only provides a 64-bit server for Data Governance. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.
Data Governance Activity Database
System Requirements: • quad core CPU
• 100 GB free disk space • 16 GB RAM
Agent Requirements
System Requirements
• Update Rollup 1 for Windows Server 2000 with Service Pack 4, Windows Server 2003, Windows Server 2003 (R2), Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit)
• 500 MHz+ Processor • 1024 MB RAM
• 100 MB free disk space for every 1,000,000 files / folders scanned
Report Requirements
• For Data Governance reports to function, proper authentication checks must be performed. This is accomplished by configuring the job server service to logon as an Active Directory ac-count associated with an Employee who has been assigned the Data Governance Administrator application role. This job server must be configured with the SMTP Host server mask to ensure it is the job server that runs the reports.
SharePoint Requirements\Recommendations
• Scanning SharePoint Server 2010 is supported. • Standalone farms are not supported.
• Farms configured with only Local Users/Groups are not supported.
• Recommend installing the agent on a dedicated SharePoint 2010 Application Server in the farm and not on a Web Front server (to reduce processing load on the web front end server). • Recommend 100 GB disk space on the SharePoint agent computer for data storage and scan
post-processing activities. The space required is dependent on the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.
• Recommend 8 GB RAM for the SharePoint agent computer.
• Ensure that the service account configured for the SharePoint managed host is a SharePoint Farm Account (same account that is used to run the SharePoint timer service).
Real-time file system updates and resource activity tracking are not supported on versions of ONTAP NetApp filers earlier than 7.3.
Additionally, the following Network Attached Storage Devices are supported as managed hosts, but must be scanned remotely: NetApp 7.2 and 8.x(Data ONTAP)*, EMC Celerra 5.6 with Server Message Block 1.0. Windows 2008 and Windows 2008 (R2) failover clusters are sup-ported as remote managed hosts types. Resource activity tracking is not supsup-ported for clus-ters.
Web Portal Requirements
• To access Quest One Identity Manager Data Governance Edition functionality in the Web Portal, you must configure IIS to use Integrated Authentication.
• If the web server hosting the Quest One Identity Manager Web Portal is running on the same computer as the Data Governance server you must set the ‘ImpersonateWcfCalls’ IIS applica-tion setting to TRUE.
• If the web server hosting the Quest One Identity Manager Web Portal is running on a different computer than the Data Governance server you must include entries in the ‘ExplicitlyAllowed-Identities.txt’ file for the IIS host computers ActiveDirectory account.
Deployment Overview
The following activities must be performed to have a fully functional Data Governance deployment: • Install Quest One Identity Manager and Data Governance
• Configure the Identity Manager and Data Governance Activity database • Synchronize your target environments (Active Directory and SharePoint) • Install the Web Portal
• Map employees with the required Data Governance application roles • Deploy managed hosts
Recommended Deployment:
• Install Quest One Identity Manager Administrative and System Configuration tools on Windows workstation.
• Install Quest One Identity Manager Server Service on Windows Server with good connectivity to a database server.
• Install Quest One Identity Manager database on a dedicated Windows SQL Server. • Install Quest One Identity Manager Web Portal on a dedicated Windows IIS Server. For detailed installation and configuration procedures, please see:
• Installing the Identity Manager on page 21 in the Quest One Identity Manager Getting Started Guide.
• Setting Up Active Directory Synchronization on page 236 in the Quest One Identity Manage-ment Guide.
• Setting Up SharePoint Farm Synchronization on page 354 in the Quest One Identity Manage-ment Guide.
• Quest One Identity Manager Web Portal Installation Guide and Quest One Identity Manager Web Portal User Guide.
• The Identity Manager Roles Model on page 87 in the Quest One Identity Manager Getting Start-ed Guide.
• Configuring Data Governance on page 13 and Working with Managed Hosts on page 15 in the Quest One Identity Manager Data Governance Edition User Guide.
Ready Service Accounts and Managed Domains for
De-ployment
Before you can gather information on the data in your enterprise, you must:
• Add and assign the credentials (service accounts) used to access resources on the computers within the domain.
• Select the domains that contain the computers and data that you want to manage.
The operations within the Data Governance use different credentials. The following table details when the accounts are being used.
Account Usage
ACTIONS MANAGED DOMAIN SERVICE ACCOUNT AGENT SERVICE ACCOUNT Manage Trustee
Access, Report on Trustee Access
Group membership and trust read rights.
Manage a domain Create container and service connection point objects in the target domain's System con-tainer. Service Account must have the right to log on to the Data Governance Server com-puter interactively.
Read a Trustees Group Membership Informa-tion
Group membership and trust read rights.
Deploy an Agent Administrative rights on the target managed host (only dur-ing deployment).
Remove an Agent Administrative rights on the target managed host (only dur-ing removal).
Synchronize Agent Ser-vice Accounts
Administrator or Server Opera-tors rights on the target man-aged host.
Restart an Agent Administrator or Server Opera-tors rights on the target man-aged host.
Modify Resource Secu-rity
Modify the security of the object natively.
Remotely Index
Secu-rity Information Read security and list children rights for all roots and root children selected for scanning.
To add a service account
1. In the Data Governance Navigation view, right-click Service accounts, and select New. 2. In the Change master data form, select the Active Directory account, and enter the password
and comments. 3. Save your changes.
To assign a service account
1. Select Data Governance in the Quest One Identity Manager Navigation view.
2. In the Navigation view, select Service accounts, double-click the required service account, and select Assign domains in the Tasks view.
Available domains are shown in the bottom and can be added, and currently assigned domains are shown in the top and can be removed.
3. Right-click a domain and select to assign or remove domains as required. 4. Save the changes.
Configure Managed Hosts
A managed host is any network object that can host resources and can be assigned an agent to monitor security and resource activity. Currently supported hosts include Windows computers, Windows clus-ters, NetApp Attached Storage Devices, EMC Celerra Storage Devices, and SharePoint farms.
Local and Remote Agents
Local agents reside on the same computer as the managed host. When you deploy a local agent, it im-mediately scans all fixed volumes on the host computer. You can only use a single agent on a locally managed host; however, local agents provide the best performance and the most functionality. Win-dows computers use local agents.
Remote agents reside on a remote computer other than the managed host, and require a service ac-count with adequate credentials to read the security information. To improve performance, you can have multiple agents scanning a single host. You can use remote agents on Windows computers, and you must use them on Windows clusters, NAS and EMC devices.
SharePoint agents are remotely managed and require a service account for the agents. They must be installed on a SharePoint server. Ensure that the service account configured for the SharePoint man-aged host is a SharePoint Farm Account (same account that is used to run the SharePoint timer ser-vice).
Configuration Options
Managed hosts must be properly configured for security indexing (and resource activity tracking, if ap-plicable) to begin. An agent must be configured to communicate with the server and gather resource information. Until this is done, no security information will be stored or indexed for this computer. Agents are configured when you add or edit a managed host. The available configuration options vary on the type of managed host.
Resource Scanning
Resource activity tracking is available for locally managed Windows servers, SharePoint farms, and sup-ported NetApp and EMC remotely managed hosts. It is used to collect data on identities, reads, writes, creates, deletes, renames and security changes on securable objects.
Security Index Roots
Security index roots determine the unstructured data for which a security index is maintained. A secu-rity index root is the root of an NTFS directory tree to be scanned by an agent, or a point in your Share-Point farm hierarchy below which everything is scanned. The agent monitors the specified roots for changes to security settings. The agent by default will do a full scan of the computer for local managed hosts and SharePoint hosts. The security index roots available for scanning differ for local and remote agents.
Scanning Schedule
Through the Scan Schedule tab on the managed host master data, you can set the time and frequency with which the agent scans the target computer. For remote agents, you must enable the Immediately scan on agent restart option if you want the agent to scan immediately when it is added or if you want the agent to rescan the security index roots when the service is restarted.
Real-time File System Security Index Updates
The Real time file system security index updating option causes the agent to watch for change on the file system of the target managed host (create, delete, and rename operations, as well as DACL,SACL, and Owner changes). This results in a more up to date security index.
Adding Managed Hosts
To add a managed host with a local agent
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host.
3. Select Locally Managed Windows Computer and click Add. 4. In the General tab, select the computer to scan from the Server list.
You must now decide if you want to enable resource activity tracking for the agent.
5. Select the Resource Activity tab, and configure the resource activity tracking.
6. Select the Aggregation period. As resource activity is continuously tracked, this period is used to group together the results over a period of time.
7. To limit network traffic, select Enable activity synchronization window.
8. To excluded accounts and objects from tracking, click the Manage Exclusions button and se-lect the objects to exclude.
a) Select to add or remove users or groups, file extensions or folders to be monitored for re-source activity.
b) Use the Export and Import buttons on their respective tabs to export and import a list of SIDs, file types, or folders to exclude.
For file extensions, you can enter a Category name to group any extensions you add to the exclusions list.
c) Select OK to save the changes.
When you install a locally managed host, you have the option of automatically installing the agent with the host, or manually installing the agent at a later date. Although it is recom-mended that you install the agent with the host, so you can properly configure it, if you are unable to do so due to a firewall or other security issues, you can manually install it after you set up the managed host. On the Agent Details page, choose External for the deployment method, and then run the Agent.msi file located in the Data Governance installation folder on the locally managed host.
9. To selectively scan a host, select the Security Index Roots tab, and select Add security in-dex roots from the Tasks view.
For a local host, you need to add and save your changes before you can add a security index root. For a remote host, you need to add and save your changes, then add an agent and save your changes before you can add a security index root.
10. Choose the directory to be scanned and the required agent, and click OK.
Local agents by default scan all local fixed volumes on their host computer.
11. Save your changes.
To add a managed host with a remote agent
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host.
3. Select the Remotely Managed Windows Computer option, and click Add.
For remotely managed hosts, the first remote agent should be added during the host’s initial deployment. You can manually add more remote agents later, if needed.
4. In the General tab, select the computer to scan from the Server drop down list.
Real-time file system security index updating and Rescan on error are checked by default.
5. Save your changes.
6. Select the Agents tab, and click Add agent in the Tasks view.
7. Select the agent host computer from the Server location list, and select a service account with sufficient permissions to access both the target computer and the agent host. Save the agent data.
An agent requires a service account that has the right to read security information on the re-mote host. This account is configured separately, and then selected when you deploy the agent.
8. Select the newly created managed host in the Result list, and select the Scanning Schedule tab to set the time and frequency with which the agent scans the target computer.
9. Select the Security Index Roots tab to select the roots to scan.
More than one remote agent may be configured to scan a managed host provided each agent scans different security index roots. A given security index root can be scanned by only one agent.
10. Select Add security index roots in the Tasks view, select the required roots, and click OK. 11. Save your changes.
The Data Governance server will add the managed host (after it has been added and saved) and deploy the agents (once it has been configured and saved) to scan for information.
Adding SharePoint Managed Hosts
SharePoint farms are similar to remotely managed hosts in that they require an associated service ac-count, even though they are installed locally on a SharePoint server. Like a locally managed host, you have the option of selectively including and excluding objects to be scanned by its agent.
Please see Appendix B: EMC Celerra, NetApp Filer, and SharePoint Configuration Details on page 79 in the Quest One Identity Manager Data Governance Edition User Guide before adding this type of man-aged host.
The following procedure requires a SharePoint synchronization to have been performed. For details, see Setting Up SharePoint Farm Synchronization on page 354 in the Quest One Iden-tity Manager IdenIden-tity Management Guide.
To add a SharePoint managed host
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host. 3. Select SharePoint Farm, and click Add.
4. In the General tab, select the SharePoint farm to scan from the drop-down list. 5. Select the Agent Details tab, and select the required service account.
6. Select Scanning Schedule tab to set the time and frequency with which the agent scans the target computer.
You must now decide if you want to enable resource activity tracking for the agent.
7. Select the Resource Activity tab, and configure the resource activity tracking.
8. Select the Aggregation period. As resource activity is continuously tracked, this period is used to group together the results over a period of time.
9. To limit network traffic, select Synchronize only between these times and set the start and end time.
10. To exclude accounts, click the Manage exclusions button and select the accounts to exclude. 11. The default for SharePoint managed hosts is to scan all data roots if no roots are specified. To selectively scan a managed host, select the Security Index Roots tab, and Configure secu-rity index roots in the Tasks view.
12. Select the directory and objects that you want included and excluded from the scan, and the required agent, and click OK.
13. Save your changes.
Adding NetApp Attached Storage Device,
EMC Celerra Storage Device, or Cluster Managed Hosts
You can add these as managed hosts, with remote agents. Please see Appendix B: EMC Celerra, NetApp Filer, and SharePoint Configuration Details on page 79 in the Data Governance Edition User Guide be-fore adding this type of managed host.
To add a NetApp or EMC device or cluster as a managed host
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host.
3. Select Windows Cluster, NetApp Storage Device, or EMC Celerra Storage Device, and click Add.
4. Select a computer from the Server drop down list and save your changes.
Real-time file system security index updating and Rescan on error are checked by default.
5. Select the Agents tab and Add agent in the Tasks view, and select a service account with sufficient permissions to access the target computer.
6. Select Scanning Schedule to set the time and frequency with which the agent scans the tar-get computer.
These settings will apply to all agents on this host.
7. For EMC Celerra and Net App, select the Resource Activity tab, and configure the resource activity tracking.
8. Select the Aggregation period. As resource activity is continuously tracked, this period is used to group together the results over a period of time.
9. To limit network traffic, click the Enable activity synchronization window and set the start and end time.
10. To exclude accounts, click the Manage exclusions button and select the accounts to exclude.
The EMC CEPA interface allows only one vendor or vendor's product to subscribe to CEPA Au-diting events for a given computer. To overcome this limitation, you can use the Quest Com-mon Event Enabler (QCEE) service. Select the required QCEE server to use for auditing activity and real time file system security index updating.
11. Save your changes.
The Data Governance server will add the managed host (after it has been added and saved) and deploy the agents (once it has been configured and saved) to scan for information. Security index roots cannot be configured until the agent has been configured and saved.
The exception to this rule, is if you are deploying managed hosts through the Add Multiple Man-aged Hosts task. From here you can configure the security index roots before deploying remote agents.
12. Select the Security Index Roots tab to select the roots to scan.
13. Select Add security index roots in the Tasks view, select the required roots, and click OK. 14. Save your changes.
Verify Managed Hosts System Status
When you first deploy a managed host it takes a few minutes for the agent to start collecting data. As the state changes, a regular refresh will allow you to see the changes.
To check the state of all managed hosts in your environment
• In the Navigation view, select Managed hosts.
Data Governance Overview
Control over your organization’s data is vital to eliminate issues such as security breaches, loss of sen-sitive information, or non compliance with external and internal guidelines. There is a need to govern access to unstructured data available to employees through file servers, SharePoint sites, and NAS de-vices.
Business owners and IT administrators can collaborate to align IT infrastructure and security goals with the overall company strategy by providing:
• Activity details both from an identity (user) and resource (data) perspective.
• Visibility and control over who has access and the type of access to resources within your en-vironment.
• Access to self-service access request workflows and services.
• Ability to define access control policies and pro-actively triage any compliance violations. • Ability to enable business owners to approve who can gain access to the data they own. • Ability to periodically attest to resource access to meet compliance objectives.
Quest One Identity Manager Tools Used to Govern Data
Governing unstructured data enables data access management, preserves data integrity, and provides content owners with the tools and workflows to manage their own data. The workflows required to manage data cross the Manager/Identity Manager and the Web Portal.
The Manager/Identity Manager is the tool administrators use to perform their daily work.
The Web Portal is the interface that makes Quest One Identity Manager Data Governance Edition visible to end users. An essential component is the web-based employee self-service request portal, which is realized through the IT Shop. Using simple, standardized forms, each employee is able to request ac-cess for the resources they need to perform their day-to-day duties. The Web Portal also includes dash-boards, views, and reports that provide a breadth of information to provide auditors, compliance/secu-rity officers, manager, and business owners with the information they need to ensure compliance to in-ternal and exin-ternal guidelines. It is through the Web Portal as well, that resource access and ownership can be attested to and compliance policy violation will be addressed.
IT administrators are focused on maintaining an optimal and secure storage/access infrastructure. They will use the Manager/Identity Manager to:
• Provide visibility on who can and is accessing what resources, where are the stale groups and stale data through a detailed security view.
• Manage access and edit security settings on the resources.
• Create a bridge to the business by helping identify and assign the business owner for resources. • Secure unstructured data through placing them under governance and publishing to the IT
Shop, thereby enabling self service requests that provide compliance checks.
Security Admins use the Manager/Identity Manager to: • Identify and manage:
User access to enterprise resources such as files, folders, share across NTFS, NAS Devices and SharePoint.
Service accounts and their enterprise activities
All users/groups that have access to a specific enterprise resource Unresolved SIDs
Child resource access that deviate from the parent Top active resources and users
Probable business owner of a resource • Perform “What If“ access modeling including:
Comparing two user accounts/groups to identify the impact of adding/removing users to/from groups.
Identifying why two employees in the same department have different access rights.
The business has a need to empower the workforce to access to the resources they need while ensuring continuous compliance and accountability of the stakeholders. Through the Web Portal, users have ac-cess to:
• Self-service requests that streamline how people obtain access to the data they need. • Access certification processes that ensure proper allocations of resources.
• Policy enforcement system that guides stakeholders including compliance officer (who provide the governance on how things should be done and how goals are met); Managers (who provide the tactical execution on how access is provided, how compliance is achieved, and how least privilege principles are fulfilled); and Auditors (who complete traceability of processes in place, how things are done, and who is are accountable).
• Views, dashboards and reports that enable the business owner to see the access employees have to all the resources they own and the resource activity on those resources. The compli-ance/security officer also uses the dashboards and views to access information on governed data, attestations, and policies.
Identifying Data to be Governed
The process of identifying data to be governed is continuously adaptive in nature. Those responsible for identifying the data may include the business owner, the administrator, the compliance officer, and managers.
Consider the following when selecting the data that should be governed:
• Monitor “Top Active Content” and “Top Active Users” reports and views in the Web Portal to identify content that is potentially valuable to the organization.
• Identify enterprise applications that can export data to flat files and highlight them as poten-tially needing to be governed. These files may contain sensitive data.
• Identify content with several access points. For example, if a content is available to “Everyone”, “All Sales”, or “All Employees” you would assume that it is meant for public consumption. How-ever, sensitive file may be placed in the public area either in error or through malicious intent. It is important to assign a “high risk” index to content with wide access points and bring them under control.
• Identify groups with a large number of members and investigate their resource access. Sensi-tive information could be inadvertently available to people through their memberships. • Talk to business owners. They are stakeholders in making the data governance process
suc-cessful. Understand how they create content and the repositories they use – SharePoint or file servers. They can provide information about the importance of content created by the different “roles” in their department/organization. This would identify the shares/folders that must be governed and the important groups or roles from their perspective.
• Identify trends in “Access Requests” in the Web Portal IT Shop. If there is an increase in re-quests for access to a share or a SharePoint folder – maybe it is a candidate to be watched for activity.
Data is considered “governed” when one of the following actions has occurred: • Data has been explicitly placed under governance.
• Data has been published to the IT Shop.
• Assigning an owner through the Calculate Perceived Owner operation.
Once data is “governed”, the Data Governance server will periodically query the agent responsible for scanning that data and retrieve detailed security information. The data is then placed in the central da-tabase to be used in compliance workflows such as policies and attestations.
The Data Governance server will also periodically retrieve resource activity summary information and calculate perceived ownership suggestions. The activity summary information is also available in vari-ous dashboards, views, and reports in the Web Portal.
• Reports available for all data, include: Resource Access, Resource Activity, Account Access, Ac-count Activity, High Active Resources Without Owner, Local Rights and Service Identities, Group Members, Group Members Comparison, Member Of, Member Of Comparison, and Empty Groups.
• Reports available only for data under governance, include: Data Owners vs. Perceived Owners, Perceived Owners for Data Under Governance, Top Active Content, and Top Active Accounts.
2
Step-by-Step Walkthroughs
• Personas
• Compare Account Access and Perform Group Membership
Simulations
• Establish Data Ownership
• Govern Data
• Create an Access Policy
• Work with Governed Data through Dashboards and Views
• Request Data Access Through the IT Shop
• Perform an Attestation Review of Data Ownership and
Se-curity
Personas
The following personas are used in the step-by-step walkthroughs in this guide:
Compare Account Access and Perform Group
Membership Simulations
Personas: Administrator, Compliance Officer
To ensure File System and SharePoint resources are secured in a manner that meets your business needs you must be able to easily identify access to those resources. The Account Comparison feature enables you to compare two different accounts access and to simulate changes to group membership to see the potential affects in the environment. The results of the comparison will show where the counts hold identical access (same access), where there are deviations within their access (different ac-cess), and where accounts have the same access but it has been obtained differently (similar access).
• Use case: Contain Group Proliferation
Over time your organization’s groups may have grown to an unmanageable level. You need a method to continuously monitor your groups access and to determine how different the access rights are for similar groups, such as Enterprise Legal” and “All Legal”. Using the Account Com-parison feature, you can start to manage groups that provide the same or similar access levels, directly or indirectly to resources.
PERSONA TASKS
Administrator Uses the Manager to maintain and edit resource security;
facilitate business owner and auditor requests; perform investigation of the rights of users and groups. This user must be assigned the Data Governance\Administrator appli-cation role.
Compliance Officer/Security Officer Uses the Manager and the Web Portal to ensure policies are being enforced in the company; creates a “Governance Pro-gram” including policies and workflows. This user must be assigned the Data Governance\Access Manager and the Company policies/Administrator (to author policies) applica-tion roles.
Business Owner Uses the Web Portal to review resource security and usage;
approves or denies requests for resource access; requests access on behalf of others, such as a new employee; vali-dates the security on resources through attestations. The business owner is an assigned role (when an employee is set as a business owner or the employee is part of a role that is set as a business owner in the Manager).
End user (Employee) Uses the Web Portal to make IT Shop requests to gain access to resources and is the target of various security and report queries.
Auditor Uses the Web Portal to reviews reports and attestations to
ensure the organization is in compliance to the required reg-ulations. This user must be assigned the Auditor Application role.
• Use case: Prune Excess Rights/Follow System of Least Privileges Model
As employees move through different roles in an organization, they may retain access to infor-mation in a previous role. This is amplified when looking at ACLs on files/folders/shares on file systems as a one-time access request may have been fulfilled in the past and never removed. Using Account Comparison, you can review and compare the access rights of a user with a user in similar departments to identify excessive permissions to a specified list of managed hosts. • Use case: Resolve disparate access to resources for two users in the same business role
Resolve the help desk calls that involve two users with identical titles, in the same department who should have access to a file, but they do not.
• Use Case: Perform a simulation of group membership changes that may result from a resource access request
From within the Web Portal, the business and group owner have the opportunity to ask the ad-ministrator the effects of adding an employee to a new group during the request approval pro-cess. Through Account Comparison, the administrator can see the complete picture of the resulting change to data access.
To compare accounts
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Account comparison.
3. Browse to select the source account. In the Source Account dialog box, click the browse button to add the user or group, and click OK.
To view the accounts current group membership, select the Expand group membership option. You need to select the member groups that you want to see the access for. If you select the "Add Group" button, and select additional groups, it then becomes a simulation of access.
4. Click OK to accept the source account settings.
5. Click the browse to select the target account. In the Target Account dialog box, click the browse button to add the user or group, and click OK.
To view the accounts current group membership, select the Expand group membership option. You need to select the member groups that you want to see the access for. If you select the "Add Group" button, and select additional groups, it then becomes a simulation of access.
6. Click OK to accept the target account settings.
7. In the Type column, select a resource type from the list.
You can select more than one resource type to compare. You can select all types within a cat-egory by clicking the header and selecting a check box. You can also use Ctrl+A to select all types.
8. In the Host column, select a managed host from the list.
You can select more than one host to compare. You can select all hosts within a domain by clicking the header and selecting a check box. You can also use Ctrl+A to select all hosts.
9. Click Compare.
For each resource path to which either account has access, the rights of both accounts are shown. If a column has no entry, that account has no access to the resource.
You can modify your comparison by making changes to the source, target, types or host, and then clicking Compare again.
10. Select one of the predefined layouts to view your results from the Layout list or group the re-sults to best suit your needs.
11. If you have created a custom layout, click the save icon, enter a descriptive name for the lay-out, and click OK.
To simulate changes to group membership
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Account comparison.
You can simulate changes to the source or target account, or to both.
3. Browse to select the source account. In the Source Account dialog box, click the browse button to add the user or group, and click OK.
4. Select Expand group membership to display all the current groups where the selected user has access.
a) To simulate the access that will result from adding the account to a new group, click Add groups, select the required group and click OK.
Simulated groups display in bold.
5. Click OK to accept the source account settings.
6. Browse to select the target account. In the Target Account dialog box, click the browse button to add the user or group and click OK.
7. Select Expand group membership to display all the current groups where the selected user has access.
a) To simulate the access that will result from adding the account to a new group, click Add groups, select the required group and click OK.
Simulated groups display in bold.
8. Click OK to accept the target account settings.
9. In the Type column, select a resource type from the list.
You can select more than one resource type to compare. You can select all types within a cat-egory by clicking the header and selecting a check box. You can also use Ctrl+A to select all types.
10. In the Host column, select a managed host from the list.
You can select more than one host to compare. You can select all hosts within a domain by clicking the header and selecting a check box. You can also use Ctrl+A to select all hosts.
11. Click Compare.
Where the accounts hold identical access, the Difference Type will display as Same; where there are deviations within their access the Difference Type will display as Different; where ac-counts have the same access but obtained differently Similar will display.
When a difference is found, the account with the access will display the details.
Group the results to best suit your needs by right-clicking the column header and choosing Show Group By box.
12. Save your layout, by clicking the save icon, entering a descriptive name for the layout, and clicking OK.
Establish Data Ownership
(Personas: Administrator, Compliance Officer)
Organizations (IT administrators) would like to identify business owners for the resources they manage to bring accountability. A business owner, once identified, can help in approving access requests before IT fulfills it. This empowers the business owners to not only act as gate keepers but also in confidently executing downstream attestations of authorized use of data for compliance.
As organizations are organic and people change their roles, the product provides two key approaches to stay continuously compliant:
• Schedule periodic “Business Owner” attestations to assess if the currently assigned business owners are still accountable for the data that is marked with their ownership.
• Generate Perceived Owner vs. Current Owner report to track if there should be an ownership change.
Data Governance can also suggest an appropriate owner for the data based on usage and access through the Manager/Identity Manager.
To determine perceived owners through the Manager/Identity Manager based on activity
1. In the Navigation view, select Managed hosts.
2. Select the required managed host from the Managed hosts tab. 3. In the Tasks view, select the Resource browser.
4. Browse to and select the required resource and select Calculate perceived owner in the Tasks view.
The calculation is performed to determine the perceived owner based on the activity.
The perceived owners (and the associated Employee) will be listed and ranked in percentage points based on their level of activity.
If the data has been placed under governance, you will see additional information including whether it has been published to the IT Shop and whether it has an assigned business owner.
5. You can select a new time period from which to perform the calculation from the list.
An account is only eligible to be set as an owner if they have an associated Employee.
The assigned ownership can now be confirmed through an “ownership” attestation. For details, see Per-form an Attestation Review of Data Ownership and Security on page 43.
Govern Data
Once a resource has been placed under governance, you have the option to publish it to the IT Shop and/or to select the business owner. Publishing a resource to the IT Shop makes it available for users to request access to it. Assigning a business owner for a resource enables you to establish the custodian for data. The business owner is the employee who understands the nature of the data and the list of authorised users. This individual has the best knowledge of the resource in question and whether ac-cess should be granted or denied.
For this scenario:
• Through the Manager, the administrator will place the Finance folder under governance, publish it to the IT Shop, and make William Buckley the owner. Once this is compete, the resource will be available for employees to request access to it.
To place a resource under governance
1. In the Navigation view, select Managed hosts.
2. Select the required managed host from the Managed hosts tab. 3. In the Tasks view, select the Resource browser.
4. Browse to and select the required resource and select Place resource under governance from the Tasks view.
5. Click Yes in the confirmation dialog box.
You cannot assign an owner unless the data is governed. For details, see Govern Data on page 28.
6. In the Navigation view, select Governed data overview.
7. Select the requires resource, and select Change master data in the Tasks view.
The General tab displays the resource information, including the network path, resource type, the last time the resource security information (and that of its children) was synchronized and included in the Identity Manager database, whether the resource is included in a security index root that is being scanned by an agent, and whether the resource is up to date.
A resource is deemed stale if it has not been scanned by any of your agents. To rectify this situation, you should search for the resource in question and place it under governance again. From here you can also select to publish the resource to the IT Shop. Once it has been pub-lished to the IT Shop, employees can request access to it. For an example see, Request Data Access Through the IT Shop on page 37.
8. Select the Business Owner tab to assign an owner for the resource.
Create an Access Policy
(Personas: Administrator, Security Officer)
Company policies exist to ensure that protocols and procedures required by your company are followed. Policies are configured by an administrator, but the decisions that need to be made in order to fix any security breaches may belong to you or your employees.
A policy could state that “Users should not have direct access to NTFS resources” to ensure that access has been granted only through group membership or provide a violation check such as “Everyone should not have Full Control to data under governance”. Assuming the appropriate data is stored in the database, Identity Manager determines all the company resources that violate these company policies. Adherence to company policies is checked regularly using scheduled tasks.
Maintaining consistent access policies to data ensures that a system of least privileges is in place. Through the Manager/Identity Manager you can manage company policies and assess the risk involved. Policies can be assigned to compliance frameworks and groups for categorization; they can have ac-countable and exception approvers, a risk index, and assigned mitigating controls for risk reduction.
Before a resource can be used in the creation of policies, it must be placed under governance. For de-tails, see Govern Data on page 28.
To create a policy
1. In the Navigation view, select Company Policies | Policies. 2. Click the add icon to create a new working copy of the policy. 3. Enter all the required information for the policy.
4. Save your policy.
5. In the Tasks view, select Enable working copy.
The company policy is not added to the database until the working copy is enabled. The copy remains and can be used for making changes to the company policy later.
Example Data Access Policies
This example shows a policy that checks for unauthorized access. The condition will identify all data un-der governance with the following access: Everyone Full Control.
This example shows a policy that detects if users have direct access to a resource. Direct access vio-lates the company policy that states that users should only have access to resources through group membership (indirect access).
Managing Policies
Regular testing of company policies is managed through schedules. A “default schedule” is assigned to every new company policy. You can customize the supplied schedule to meet your requirements or set up your own schedules and assign them to the company policies.
Processing tasks are created for the DBScheduler to test the validity of a company policy. The DB-Scheduler determines what employees satisfy the company policy and what employees violate the pol-icy in the case of each company polpol-icy. The specified company polpol-icy approvers can test polpol-icy
You can also get an overview of the approval status of each policy violation in the Identity Manager and the Manager. To do this, open the overview form of the original company policy whose policy violations you want to look at. You will see all new, granted, and denied policy violations.
Assuming that you have been assigned the appropriate role and permission to do so, you can view re-sources with attached policies and any associated violations through the Compliance | Resource Access menu in the Web Portal. For details, see Work with Governed Data through Dashboards and Views on page 33.
Work with Governed Data through
Dash-boards and Views
(Personas: Business Owner, Compliance/Security Officer)
The Web Portal provides a clear, 360-degree view of employees and their access to File System and SharePoint resources through dashboards, views, and reports.
Dashboards are graphical summaries of information that can be customized to display the objects and statistics that interest you. The dashboards you see from the Info System menu depend on your roles and permissions. The information is updated daily, so checking your dashboards regularly can help you understand any issues that need addressing.
Views provide additional detailed information about yourself, your responsibilities, your history of ac-tions, and governed data. Depending on the type of information you need and your access permissions you can grant or deny access to data, generate reports, address policy violations, and attest to data in-tegrity (ownership and security permissions).
As a business owner, you can access:
• Dashboards that provide a summary of requests over the past year for resources that you own; the number of your overdue and approaching attestations; the number of current policy viola-tions, and a graph of the policy violations over the past year.
• Views that provide information on governed resources that you own. This includes activity, as-sociated policies, resource details (including asas-sociated reports), and requests and attestations that you are involved with. For examples, see Request Data Access Through the IT Shop on page 37 and Perform an Attestation Review of Data Ownership and Security on page 43.
Dashboards used to help ensure data governance
DASHBOARD INFORMATION
High Risk Overviews for Governed data Displays the highest risk items under your responsibility. This can help you set priorities for managing your resources.
Governed data Provides an overview of the most active resources and the
employees who have the most activity on governed sources; the proportion of governed resources that have re-lated policies; and the number of resources that are gov-erned, owned, or published in a given time frame, and a summary of the governed resources.
Attestation Provides information regarding your need to confirm that
re-source ownership and access have been properly applied and adhere to your organization’s policies and guidelines.
Compliance Displays details on policies programs and associated
viola-tions. This information is vital in ensuring that your network environment meets security standards.
• Additional reports through subscriptions. For details, see Subscribe to Activity and Access Reports on page 48.
Sample information available to a Business Owner
The Business Owner can drill further into the resource for additional information and reports. The Over-view tab identifies users/groups who have access to the resource he owns (“C$\Finance”).
As a compliance/security officer, you can access:
• Dashboards that provide a summary of outstanding and overdue attestations; Governed Data information (Published, Owned, Published but not owned, Activity Last “n” days); Policies pro-grams and applicable policies; employees by risk index; and high risk resources.
• Views that provide detailed information on governed resources (including reports), overdue at-testations, and policy violations.
• Additional reports through subscriptions. For details, see Subscribe to Activity and Access Reports on page 48.
The Reports tab displays available reports that can be run on demand (Generate Report) or on schedule.
As an employee designated with the Auditor application role, you have read-only access to:
• Views that allow you to browse through all relevant compliance data such as user profiles, roles, entitlements, attestations, compliance rule, policy violations, resource access and own-ership, requests, and approvals. The information available from this view enables you to prove and certify that access to and ownership of your unstructured data are being met.
Sample attestation policy details
Request Data Access Through the IT Shop
(Personas: Administrator, Business Owner, Group Owner, Employee)
Publishing a resource to the IT Shop places it under governance and makes it available for users to re-quest access to it. Each rere-quest is processed by a flexible policy based approval process, which helps maintain data governance. The IT Shop avoids time consuming demands within the company and re-duces the administration effort. The request history also makes it possible to follow who requested what company resource and when it was requested, renewed or canceled.
You can publish NTFS shares, folders, and files and SharePoint objects from the site level and below. Because the IT team has historically been the only group who could modify data access permissions, they have been in the role of deciding who permissions are given to. The administrator, however, may not have the information needed to properly govern data access.
For this scenario:
• The Finance share has been placed under governance and published to the IT Shop. William Buckley has been designated as the business owner. For details, see Govern Data on page 28. The folder is available for resource access requests.
• Through the Web portal, Scott Harris will request access to Billing, Patient Records, and Budget and Expenditure folders located on the Finance share. William Buckley will approve the request for the first two folders and deny the request to the Budget and Expenditure folder.
• Through the Web portal, Joan Bloggins, the group owner and next in the workflow to approve or deny the request for access, will approve the request. Note that resource access is granted through group membership.
Requests follow a defined approval process that determines whether access to the data can be assigned or not. Authorized persons, in this case the business owner and group owner, can approve or deny IT Shop requests. Once the business owner approves a request, it is forwarded on to the group owner to complete the workflow.
To make an IT Shop request in the Web portal
1. When an employee (Scott Harris) logs in to the Web portal, on the Welcome page they will see the items available for them to request. One of the options will be Resource Access.
2. To request access to the required folders, he clicks Resource Access, checks the File system option, and clicks Add to shopping cart.
3. Next he selects File system access and clicks Add to shopping cart.
4. He selects the required folders and clicks OK.
He can select the information icon to view the detailed information associated with the folder to ensure it is the resource that he needs.
5. By selecting Requests, and Shopping Cart from the menu, he can view his pending requests and select the type of access required.
We can see that he has requested Read access to the Budget and Expenditure and the Patient Records folder and Write access to the Billing folder.
Sample Welcome page
He can select the Actions option to include a reason for the request and the duration required for the access.
6. Next, he selects Check & submit shopping cart, and Yes to confirm the request.
This will check the request for possible errors and submits the request to the employee respon-sible for approving it. In this case, the first step in the approval workflow will be completed by the business owner.
He can also select My Actions and Request History from the menu options to see the status of his pending request.
Sample Shopping Cart view with requests
By selecting the information icon, he can view detailed information about the request, including who will need to approve the request.
The request will now be sent to William Buckley, the Business Owner of the resource, where it will be approved or denied.
To approve or deny the request
1. When William Buckley, the business owner, logs in to the Web portal, he will see on his Wel-come page that he has pending requests.
2. To view the details for the request, he selects My Actions, Pending Requests from the menu.
Sample Next Decision view
Assigning resource access is best accomplished through group membership, so the first step in the approval workflow is identifying the required group to which to add the employee. When the Select a group option is clicked, a calculated list of appropriate groups will be displayed.
3. He selects the group that he feels is required and clicks Request and Close. 4. He can now approve or deny the request.
Once he saves his changes, the approved requests will go to the group owner (the next step in the workflow), asking to add Scott Harris to the selected group. The denied requests will be sent back to Scott Harris, the employee who made the initial request.
5. When Joan Bloggins, the group owner, logs in to the Web portal she will see her pending re-quests.
From here she can either select the information icon to see details of the request, or approve it, or select My Actions and Pending Requests for more options.
Sample list of “Best fit” groups. The details on how this is calculated are found in the Data Governance User Guide.
From the Pending Request view and the Actions option, she can view the exact resource that has been requested and ask for help.
For example, she can ask the administrator to send her information on the repercussions of making Scott Harris a member of the selected groups. The administrator can then use the ac-count comparison feature in the Manager to simulate and see the effects of group membership changes before applying the updates.
6. Once she is satisfied that the access is appropriate, she can approve the request.
Scott Harris will now have the access to the resources he needs to perform his duties and the business can feel confident that the granting of access has passed through all the correct chan-nels to ensure data governance.
Perform an Attestation Review of Data
Own-ership and Security
(Personas: Compliance Officer, Business Owner, Group Owner, Auditor)
Attestation reviews ensure that the business has a clear statement of employee’s data access and en-sure that access to resource including NTFS and SharePoint data is correct. The process of carrying out attestation on a regular basis is referred to as recertification because at specified time intervals, al-ready certified or approved access are reconfirmed.
To comply with internal policies and industry regulations, managers and data owners need to regularly attest that employees need the access they have been granted. This is a crucial task for organizations in health care, organizations that accept credit cards as forms of payment, government departments, financial institutions, and any publicly traded company.
Since data and the required access and ownership in your environment is constantly evolving, it is im-portant to schedule regular attestation to ensure accuracy, policy adherence, and security. You can then generate detailed reports for auditors to prove adherence to regulations.
Access certification can be a challenge due to a lack of information, understanding, and a well defined process. Business managers understand employees’ roles but not their access rights; IT managers un-derstand employees’ access rights but not their legitimate access needs.
Identity Manager simplifies and automates the attestation process to ensure that every employee has the right access to do their job, nothing more. The attestation process places responsibility for the at-testation review with data/Business owner as they have the best knowledge of the data and its in-tended use.
An auditor can review the attestations procedures through the Web Portal. This enables you to prove and certify that access and ownership compliance rules are being met. For details, see Work with Gov-erned Data through Dashboards and Views on page 33.
For this scenario:
• Through the Web Portal, Sophia Gracer will define a “resource ownership” and a “resource se-curity” attestation policy.
• Through the Web Portal, William Buckley can attest to the access for the data he owns. • Sophia Gracer will also create a Resource Ownership policy that will specify that William
Buck-ley should attest to the owner of the Human Resources Folders. The owner was assigned based on the “calculated perceived owner” based on activity level. In this case, the owner should be Becky Roberts. For details, see Establish Data Ownership on page 27.
To create an attestation policy
1. Sophia Gracer logs in to the Web Portal and selects Compliance | Attestation Policies from the menu. To create a new policy, she selects New attestation policy.
She enters the policy details including the name, type (a template with basic workflow and ob-ject definitions), approval policy (whether the attestation will be performed by the resources owner or a specified user), schedule, and the days within which the attestation must be com-pleted.
2. For the Resource Security policy, she selects the objects for the attestation by clicking the Add condition icon.
For this scenario, we will show how to include specific resources. Sample policy creation form
3. She selects the required resources and clicks OK.
4. When she is satisfied with the policy, she saves it.
The same process will be followed to create the resource ownership attestation policy. This ex-ample shows the creation of a Resource Ownership policy for the Human Resources share, with Sample resource selection
William Buckley being assigned as the Attestor.
Once created, the policy is in place and run according to the selected schedule, and it will be received by the employee who will perform the attestation based on the policy settings. They will see it listed under their Actions when they log in to the Web Portal.
However, as the Compliance Officer, she can choose to force the attestation policy to run im-mediately from the Manager.
To immediately create attestation cases
1. In the Manager, select Attestation.
2. In the Navigation view, select Attestation Policies. 3. Double-click the new attestation policy.
4. In the Tasks view, select Change master data.
5. In the Tasks view, select Run attestation for single objects. 6. Select the object to run the attestation policy against, and click Run.
The attestation policy will immediately run and be received by the employee who will perform the attestation. They will see it listed under their Actions when they log in to the Web Portal. Sample resource ownership policy
To perform an attestation
1. When a user logs in to the Web Portal, they can select to view their pending attestation from the My Actions menu.
When William Buckley logs in to the Web Portal, he will see the pending “resource ownership” attestation.
2. If he is satisfied that he can attest to the resource ownership, he can select Approve and Save
Sample pending attestation view
