Data Remediation Policy
A Data Remediation policy is a set of policy rules, which govern actions that are run on the basis of the Data Classification process results.
Each File Access Manager deployment has a data remediation policy that spans all the deployment’s applications.
Each Data Remediation rule consists of:
- Categories - The data classifications of a file that triggers the specific rule.
- Scope - Whether the rule should be triggered by application, by application type, or should not be limited by either [unlimited].
- Script path - The path to a script to be executed on the files that match this category.
Note
The script must be written in PowerShell and can accept both the filename and the category as parameters, and return an error message in case it fails.
A Data Remediation script is executed on a file that matches one of the Data Remediation rules. Each rule can run a single script.
The Data Remediation scripts are executed by the installed Application’s Data Classification service. The service periodically queries the database for new scripts which are pending for execution, and in turn executes them and writes the execution results to the logs.
You can track the execution of the Data Remediation rules by generating log reports.
To set a Data Remediation Policy, navigate to Compliance > Data Classification > Data Remediation.
The data remediation has the following options:
- Generate Report - Run or schedule a report based on the remediation rules, according to the requested time period.
- New Rule - Create a data remediation rule.
Each Data Remediation line has the options Edit and Delete.
Note
Data Remediation allows you to run any operation on classified files. This also includes encrypting.
Create a Data Remediation Rule
To set a new Data Remediation rule:
Navigate to Compliance > Data Classification > Data Remediation
Fill in the following fields:
- Rule Name (mandatory)
- Description
- Categories - Select at least one category from the dropdown list.
- Script Path - The path to the PowerShell script to run. Since the script is executed by the data classification service, the path must be relative to the server in which the data classification service is installed. If this action will be run by multiple data classification services serving different applications, all services must be able to access the path.
- Scope Type - Select the scope to apply to the rule by selecting one of the following:
- All (default)
- Application Type
- By Application
- Application - Select one or more applications by marking the tickboxes in the dropdown list.
- Application Type - Select one or more application types by marking the tickboxes in the dropdown list.
- Frequency - Select an execution interval.
- Run Now - One-time run.
- Run now and Every X Hours - The default is 24 hours. Set an interval between 1-99 hours.
Select Save & Run, or Cancel.
Edit a Data Remediation Rule
- To edit a Data Remediation rule, navigate to Compliance > Data Classification > Data Remediation [Select policy] Edit Rule icon.
- The Edit Data Remediation Rule screen displays. Follow the steps described above.
- Select Save & Run or Cancel. If you click Save & Run at any stage of editing a data remediation rule, it will cause the assigned actions to execute immediately. This is true even if no changes were made.
Delete a Data Remediation Rule
To delete a Data Remediation rule, navigate to Compliance > Data Classification > Data Remediation [Select policy] Delete Rule icon.
Log Reports
You can track the execution of the Data Remediation rules and actions by generating log reports.
To view Data Remediation reports, navigate to Compliance > Data Classification > Data Remediation.
- Select the Generate Report menu option. This will open the report dialog box.
- Select Produce Now to produce the report now, or click Schedule a New Report to schedule the report.
-
If you selected Schedule a New Report in the previous step, select one of the following scheduling options:
- Last Day
- Last 7 Days
- Last 30 Days
- All
Writing a PowerShell Script for Data Remediation
The File Access Manager administrator must provide a path to a valid script to perform the desired action.
That script must be written in PowerShell and return either nothing (or an empty string) to indicate success, or a string message to specify an error in case of failure.
The script receives 2 parameters when it's executed:
- A string which represents the full path of the file upon which the action should act.
- A string which represents the category which caused the action to be executed.
Any credentials needed for the script to operate must be provided within the script.