Identity Manager – Data Governance Edition

Data governance that puts you in control of sensitive data access

Provide security and access rights to the appropriate users.

Identity Manager - Data Governance Edition protects your organization by giving access control to the business owner rather than the IT staff. The business owner can grant access to sensitive data. With the Identity Manager restricted access functionality, you define access policies for your organization. You have the power to analyze, approve and fulfill unstructured data access requests to files, folders and shares across NTFS, NAS devices and SharePoint, ensuring that sensitive, unstructured data is only accessible to approved users. Identity Manager automates the request-and-approval workflow, ensuring security and reducing the burden on your IT staff.

Features

  • Restricted access – Ensures that your organization’s sensitive, unstructured data is only accessible to approved users by enabling you to define access policies; also locks down sensitive data such as files, folders and shares across NAS devices, NTFS and SharePoint.
  • Data owner assignment – Enables you to evaluate usage patterns and read and write access to help you determine and assign the appropriate owner of data for all future access requests.
  • Simplified auditing – Provides you with key information for audit preparations by allowing you to identify user access to enterprise resources such as files, folders and shares across NAS devices, NTFS, and SharePoint.
  • Automated access requests – Enables you to automatically direct access requests from the request portal to the appropriate data owner using built-in workflows, with no burden on your IT staff because approved requests are automatically and correctly fulfilled.
  • Access verification – Enables you to monitor user and resource activity, and configure and schedule a recertification process for data owners to verify and attest to employee access, thus ensuring that only approved users have access to specific resources
  • Personalized dashboard – Enables you to view trends, historic and current data access activity, and attestation status on your personalized dashboard, and then allows you to generate compliance reports from that data.

To add the automation of securing and classifying unstructured data, please see the Classification Module for Identity Manager - Data Governance Edition

Specifications

Before installing Identity Manager Data Governance Edition 6.1, ensure your system meets the following minimum hardware and software requirements:

Data Governance Server

Note: To configure a Data Governance server, the user must belong to the Administrators group of the computer hosting the server.

System Requirements:

  • 64-bit Windows Server OS (Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
  • quad core CPU
  • 100GB free disk space
  • 16GB RAM

Software Requirements

  • .Net 4.0

Note: Dell Software only provides a 64-bit server for Data Governance. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.

Account Requirements

  • You must be an administrator of the computer on which you are installing the Data Governance Server.
  • You must have the credentials of an account that can be used to create a database on the SQL server being used by the Data Governance Server.
  • You must have the credentials of an account that can be used as a Service Account for your managed domains.

Data Governance Activity Database

System Requirements:

Note: You can use your pre-existing Identity Manager database server to host the Activity Database.

  • quad core CPU
  • 100GB free disk space
  • 16GB RAM

Agent

System Requirements:

  • Windows Server 2003 (R2), Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit), Windows Server 2012 (Note: New Dynamic Access Control (DAC) features are not supported.)
  • 500 MHz+ Processor
  • 1024 MB RAM
  • 100 MB free disk space for every 1,000,000 files / folders scanned

Note: Real-time file system updates and resource activity tracking are not supported on versions of ONTAP NetApp filers earlier than 7.3.


Note: Additionally, the following Network Attached Storage Devices are supported as managed hosts, but must be scanned remotely: NetApp 7.3, 8.0 and 8.1, EMC Celera 5.6, EMC VNX 7.0. Windows 2008, Windows 2008 (R2), and Windows 2012 failover clusters are supported as remote managed hosts types. Resource activity tracking is not supported for clusters.

Note: When an agent is installed on Windows Server 2012 you must disable the following local policy: "User Account Control: run all Administrators in Admin Approval Mode.

Additional Software

Report Requirement

  • For Data Governance reports to function, proper authentication checks must be performed. This is accomplished by configuring the job server service to logon as an Active Directory account associated with an Employee who has been assigned the Data Governance Administrator application role. This job server must be configured with the SMTP Host server mask to ensure it is the job server that runs the reports.

Web Portal Requirement

  • To access Identity Manager Data Governance Edition functionality in the Web Portal, you must configure IIS to use Integrated Authentication.
  • If the web server hosting the Identity Manager Web Portal is running on the same computer as the Data Governance server you must set the ‘ImpersonateWcfCalls’ IIS application setting to TRUE.
  • If the web server hosting the Identity Manager Web Portal is running on a different computer than the Data Governance server you must include entries in the ‘ExplicitlyAllowedIdentities.txt’ file for the IIS host computers ActiveDirectory account.

SharePoint Requirements

  • Scanning SharePoint Server 2010 is supported.
  • Standalone farms are not supported.
  • Farms configured with only Local Users/Groups are not supported.
  • Ensure that the service account configured for the SharePoint managed host is a SharePoint Farm Account (same account that is used to run the SharePoint timer service).

SharePoint Recommendations

  • Recommend installing the agent on a dedicated SharePoint 2010 Application Server in the farm and not on a Web Front server (to reduce processing load on the web front end server).
  • Recommend 100GB disk space on the SharePoint agent computer for data storage and scan post-processing activities. The space required is dependent on the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.
  • Recommend 8GB RAM for the SharePoint agent computer.

Resources

Screenshots

loading

Identity Manager

Take a tour of key functionality in Identity Manager - Data Governance interface to experience its capabilities and ease of use.

Take a Screenshot Tour

Identity Manager - File System Activity

File System Activity

Users can see a list of the most active file system resources for which they are responsible.

Identity Manager - Pending Attestations

Pending Attestations

Managers can see a list of the pending attestations awaiting their decisions.

Identity Manager - Governed Data Dashboard

Governed Data Dashboard

Configurable dashboard displays enable managers to understand what data is being used the most and by whom.

Identity Manager - Access Overview

Access Overview

Drill down detail enables managers to quickly see which roles have access to governed data.

Identity Manager - User Access Overview

User Access Overview

Managers can view all the access a particular user has, in one easy glance.

Identity Manager - Pending Requests

Pending Requests

Managers can view all the pending access requests awaiting their decisions. These requests are automatically directed through to the appropriate manager who is responsible for the data in question.

Identity Manager - High Risk Overview

High Risk Overview

The High Risk Overview dashboard helps compliance and security officers see what data and resources are most at risk within their environments.

Identity Manager - Account Comparison

Account Comparison

The top image shows an account comparison display where different groups have the same or similar access, whereas the lower report shows an account comparison display where two groups differ in their access.