All ContentSeven Steps to Designating Owners of Unstructured Data
Seven Steps to Designating Owners of Unstructured Data
for each document library. (The
scripts in this article provide an
example.) For each document
library, you need at least this
information:
• Farm
• Site collection name
• Document library URL
How One Identity can help
Identity Manager - Data
Governance Edition scans
your file servers, file-sharing
appliances and SharePoint site
collections to automatically
identify unstructured data stores.
Step 2. Analyze Potential
Owners
At this point, you have a list of
all shared folders and document
libraries, so you’ve documented
all the most likely places where
unstructured data might reside
on your network. The next step
is to analyze these data stores to
determine likely owners.
What type of information is
in this store?
Determine the dominant file
types within the document
library or folder. For shared
folders, WinDirStat is a useful
open-source tool for graphically
rendering folder structure, data
size and file types. You can
quickly see how much data is
present, how it’s organized into
folders, and which file types are
represented.
However, if all the documents
are a generic format (such as
Microsoft Word or PDF), you’ll
need to dig deeper by actually
looking at the contents of the
data. Your goals are to determine
the most important types of
stored documents, to understand
their business importance to the
organization, and to find out what
sensitive data (if any) resides
in them. You might need to
interview people who are frequent
users of the data, which brings us
to the next question…
The best owner for a given
store of unstructured data is
someone who understands the
information and works with it
regularly (or whose direct reports
work with it). The owner needs
to be at an organizational level
with the authority to make
entitlement decisions, as well
as the perspective to take into
account the business and security
implications of granting access to
this information.
Who has permission to
access this data?
To find this person, you need to
analyze the unstructured
data store and its metadata,
essentially asking four questions:
Typically, the access control list
(ACL) for folders and libraries
will list one or more groups, each
with specific entitlements. Your
next step is to understand the
membership of each group. Be
aware that on Windows file
servers, permissions may be
granted to local groups unique to
that computer. A better practice
is to use AD domain groups.
• What type of information is in
the store?
• Who can access the data?
• Who regularly accesses the data?
• Is the data subject to information
security policies?
3
Obviously, anyone who uses
a given data store must have
permissions to it before he or
she can access it. So, to identify
people who should know more
about the unstructured data
within a given store, look at the
permissions on the folder or
library in question. Ideally, you’ll
document current permissions for
each data store.
The best owner
for a given store
of unstructured
data is someone
who understands
the information
and works with
it regularly (or
whose direct
reports work
with it).
To find out
who actually
uses a
document,
you can
use access
auditing.
Likewise, SharePoint supports
both AD domain groups and
SharePoint groups unique to
SharePoint.
Write or Delete) so that you can
distinguish between users who
produce and modify data, as
opposed to those who just read it.
Just because a given group has
access to a data store doesn’t
mean that all its members access
the information. Entitlements
are commonly much broader
than necessary. This happens
because of the absence of a
knowledgeable data owner,
because busy administrators
sometimes lack an understanding
of the data and business
requirements, and simply because
permissions become outdated
over time. Therefore, a data
store’s permissions might not help
you zero in on the key users of
that data. However, documenting
the current entitlements on the
data store is still a necessary step,
as you’ll see later in the process.
But the next question provides
an effective way to find the real
users of a given data store.
For more granular control over
what activity is audited, you
can use the File System audit
subcategory. If you use this
subcategory, you’ll need to define
audit policy on each folder you
want to track, specifying who to
audit and which types of access
to track. This category produces
event ID 4663, which logs
essentially the same information
as ID 5145.
Who regularly accesses
this data?
To find out who actually uses a
document, you can use access
auditing. Both Windows NTFS
and SharePoint provide an audit
capability. By enabling auditing
for a period, you can analyze the
logs for usernames that show up
frequently. Enabling auditing on
either platform requires access to
the administrative controls and is
complicated.
NTFS auditing — Windows
provides two audit categories for
auditing access to shared folders.
You can enable the Detailed File
Share subcategory on a given
system, and Windows will begin
recording every file access for all
shared folders on that computer
with event ID 5145, which logs
the username, computer name,
shared folder and file name.
Event ID 5145 also logs the
type of access (such as Read,
4
File auditing in the Windows
security log is complex because
you must either cope with the
system auditing every access to
every file (Detailed File Share
category) or configure audit
policy on each folder (File System
category). Either way, the
events logged by Windows are
famously cryptic and have a high
degree of noise and duplication.
Furthermore, each computer
records security events to its
local log. Ultimately, there’s no
way to effectively analyze access
events without knowledge of the
arcane Windows security log.
Plus you need a log management
tool to consolidate logs from
multiple systems and perform
the filtering and summarization
necessary to identify the key
users of a given folder.
SharePoint auditing —
SharePoint auditing is controlled at
the site collection level. SharePoint
farms often have thousands of site
collections, and enabling auditing
is a manual operation accessed
through each site collection’s Site
Collection Administration pages.
With SharePoint, you choose which
types of access (such as View,
Create, Update or Delete) to audit
for the entire site collection. The
audit process includes all objects,
which means — particularly in
Please complete the form to gain access to this content
