Access

Introduction

The LightBeam Governance module is designed to provide organizations with comprehensive visibility and control over data access across various unstructured data sources. As digital platforms proliferate, ensuring secure access to sensitive information is crucial.

This module empowers organizations to monitor and manage employee access to sensitive data, integrating seamlessly with Azure Active Directory or CSV-based employee lists. Administrators can establish and enforce access rules, track who is accessing what data, and ensure compliance with security frameworks like SOC2, NIST and ISO 27001.

Supporting a wide range of data sources, including SharePoint, Google Drive, Outlook, Gmail, AWS S3, Salesforce, HubSpot, and Slack, the LightBeam Governance module offers a proactive approach to securing sensitive data and maintaining robust data governance across the organization.

Getting Started

Prerequisites

User Roles and Permissions

• LightBeam Admins: Required to set up and manage the governance module.

Installation and Setup

Connecting Active Directory (AD)

Step 1: Access Directory Services

• Navigate to the directory services section in the LightBeam platform.

Step 2: Connect Multiple Directory Services

• LightBeam Admins can connect multiple directory services to a single LightBeam instance.

Step 3: Set Sync Frequency

• Configure the synchronization frequency (e.g., daily, weekly).

Step 4: Initiate Runtime Syncs

• Perform manual syncs as needed.

Step 5: Review Synced Details

• LightBeam will display synced users, roles, departments, employment status, current status with joining date, and groups.

Step 6: Error Handling

• In case of synchronization errors, LightBeam identifies these issues and provides options for re-syncing. Various error scenarios are efficiently handled.

Step 7: Day 2 Syncs

• LightBeam supports both Truncate load and incremental syncs. By default, the sync method is incremental, but administrators can choose Truncate load as needed.

Importing Via CSV

Step 1: Prepare CSV Files

• Use the defined template including fields such as First Name, Last Name, Username, Email Address, Department, Role, Groups, Employment Status, and current status (active or inactive), along with the date of their addition to the organization.

Step 2: Import Employee Data

• Navigate to the import section and upload the employee CSV file. The imported data will function like a typical Active Directory system.

Step 3: Import Groups Data

• Upload a separate CSV for Groups and their respective members, ensuring proper mapping.

Step 4: Handle Updates

• Similar to Active Directory, the system supports both truncate load and incremental updates based on email IDs.

Data Access Configurations

Configuration for Open Access

• Define what constitutes open access at the governance level. By default, LightBeam considers any file accessible via a link as open access.

Configuration for Excessive Access

• Customize the definition of excessive access. By default, any file accessed by more than half of the total number of users is considered to have excessive access.

Key Terminologies

Understanding the following key terminologies is crucial for effectively using the LightBeam Governance module:

• Sensitive Information: Data that is protected against unwarranted disclosure and includes personally identifiable information (PII), financial data, and proprietary information.

• Open Access: Files accessible by a large number of users, either internally or externally, potentially posing a security risk.

• Excessive Access: When more users have access to a file than what is necessary for their role or department.

• Incremental Sync: A synchronization method where only the changes since the last sync are updated.

• Truncate Load: A synchronization method where existing data is deleted and a full reload of data is performed.

Architecture Overview

The LightBeam Governance module integrates seamlessly with the overall LightBeam Spectra platform, leveraging a modular architecture to enhance data security and governance. The core components include:

Directory Services Integration

• Supports multiple directory services connections (e.g., Azure Active Directory) and CSV imports for user data.

• Ensures that user roles, departments, and group memberships are synchronized efficiently.

Access Control Engine

• Monitors and manages user access to sensitive information across various data sources.

• Enables administrators to define and enforce rules regarding data access.

Alerting and Notification System

• Triggers alerts for open or excessive access and unauthorized data sharing.

• Provides real-time notifications to administrators for proactive risk management.

Reporting and Analytics

• Offers detailed reports on user access, sensitive data exposure, and policy violations.

• Provides timeline views for tracking access events and changes over time.

Integration with Data Sources

• Supports a wide range of data sources, including SharePoint, Google Drive, Outlook, Gmail, AWS S3, Salesforce, HubSpot, and Slack.

• Ensures comprehensive coverage of data governance across both on-premises and cloud environments.

Sensitive Information Exposure

The module proactively detects and alerts administrators about sensitive information exposure. It identifies files with sensitive data that are broadly accessible or shared externally, highlighting potential security risks. Specific scenarios include:

• Files accessible to all employees.

• Files shared with external parties.

• Files exposed to a wide audience within the organization (more than 30 people).

• Files accessible across different organizational units (e.g., engineering, sales).

User/Application Categorization

The governance module categorizes users and applications based on their access to sensitive information. This feature provides:

• Lists of users and applications with access to highly sensitive information.

• Detailed views of access permissions for different users and applications.

• Insights into access across structured and unstructured data sources, including on-premises, SaaS, and cloud environments.

Features and Functionalities

Access Mapping

The module maps who has access to whose data, offering insights into potential access risks:

• Geographic Access Insight: Identifies scenarios where data access spans across geographic boundaries, such as European customer data accessible to the US sales team.

• Organizational Level Access: Highlights sensitive files with financial data accessible to non-finance teams, employee information accessible to non-HR employees, and customer data accessible to engineers.

Access Details:

Provides file-level and group-level access details, enabling administrators to track and audit data access comprehensively.

Governance and Policies

The Governance and Policies section of the LightBeam Spectra platform's governance module is designed to provide organizations with robust mechanisms for managing and enforcing data access controls. This ensures that sensitive information is protected and that data access aligns with organizational policies and compliance requirements.

Governance Overview

The governance module allows administrators to define and implement comprehensive data access policies, providing visibility into data access patterns and enabling proactive management of potential security risks. The key components of governance include:

Visibility

• Provides detailed insights into open, excessive, and cross-departmental access to data.

• Tracks which users have access to specific data and how this access is used across various applications and platforms.

Automation

• Supports automated actions based on defined policies, such as revoking access, blocking users, or modifying access permissions.

• Facilitates efficient management of data access, reducing the burden on IT and security teams.

Policies and Alerting

Defining Policies

The Policies and Alerting feature within the LightBeam Governance module is a cornerstone of its data governance capabilities. It empowers organizations to define, enforce, and monitor data access policies, ensuring that sensitive information is accessed only by authorized individuals and in compliance with regulatory requirements. This section details the process of defining policies, configuring alerts, and managing policy violations.

Policies in the LightBeam Governance module are rules that dictate acceptable data access practices within an organization. These policies can be customized to address specific security requirements and compliance standards.

• Types of Policies

  • Open Access Policy: Defines what constitutes open access to files. By default, any file accessible via a link is considered to have open access. This can be customized to tighten or loosen the criteria based on organizational needs.

  • Excessive Access Policy: Sets thresholds for what is considered excessive access to files. The default setting considers any file accessed by more than half of the total number of users as excessively accessed. This threshold can be adjusted to better fit the organization's security posture.

  • Cross-Departmental Access Policy: Controls access to sensitive data across different departments. For example, financial data should not be accessible to non-finance teams, and HR data should not be accessible to non-HR employees.

• Creating Policies

  • Step 1: Define Criteria: Administrators define the criteria for each policy, specifying what conditions must be met for a policy to be considered violated.

  • Step 2: Assign Scope: Determine which data sources, user groups, and organizational units the policy applies to.

  • Step 3: Set Actions: Define the actions to be taken when a policy violation is detected, such as generating alerts, revoking access, or initiating automated remediation processes.

Configuring Alerts

Alerts are critical for real-time monitoring and response to policy violations. They ensure that administrators are promptly notified of any potential security issues.

• Types of Alerts

  • Immediate Alerts: Triggered instantly when a policy violation is detected. These are used for critical issues that require immediate attention.

  • Threshold Alerts: Triggered when access reaches or exceeds a predefined threshold. For example, an alert can be set to trigger when a file is accessed by more than a specified number of users.

  • Scheduled Alerts: Generated based on scheduled scans and checks. These alerts provide regular updates on policy compliance and potential issues.

• Setting up Alerts

  • Step 1: Define Alert Conditions: Specify the conditions under which an alert should be triggered. This can include criteria such as the type of data accessed, the number of users accessing the data, and the departments involved.

  • Step 2: Configure Notification Settings: Determine how alerts are communicated to administrators. Options include email notifications, SMS alerts, and dashboard notifications.

  • Step 3: Assign Alert Recipients: Designate the individuals or teams responsible for responding to alerts. This ensures that the right people are informed and can take action promptly.

Managing Policy Violations

Once policies and alerts are configured, the governance module continuously monitors data access to detect and manage policy violations.

1. Detection:

   1. The module uses real-time monitoring and periodic scans to identify policy violations. This ensures that any unauthorized access or risky behavior is detected as soon as it occurs.

2. Response:

   1. Automated Actions: Based on the defined policies, the module can automatically revoke access, block users, or move files to secure locations when a violation is detected.

   2. Manual Intervention: Administrators can review alerts and take manual actions as needed. This may involve investigating the root cause of the violation, contacting the affected users, or making adjustments to the access policies.

3. Audit and Reporting:

   1. Violation Reports: Detailed reports on policy violations provide insights into the nature and frequency of violations, helping administrators understand trends and potential security gaps.

   2. Audit Trails: Comprehensive logs of all policy-related activities, including detected violations, triggered alerts, and actions taken. These logs support auditing and compliance efforts, ensuring that the organization can demonstrate adherence to data governance policies.

Monitoring and Reporting

Effective governance requires continuous monitoring and reporting to ensure compliance with defined policies and to identify potential security risks.

Dashboards

• The governance module provides a comprehensive set of dashboards that display essential metrics, governance rule violations, and partner onboarding status.

• Specific dashboards include the Main Dashboard, Governance Dashboard, Data Source Level Governance Dashboard, Per User View, and Entity View.

Reports

• Detailed reports offer insights into high data access users, enabled rules, and rule violations at the data source level.

• These reports can be used to audit data access, assess compliance with security frameworks, and identify areas for improvement.

Governance Module Dashboard

Governance Module Dashboard Overview

The Governance Module Dashboard provides governance officers with comprehensive visibility into the organization’s data access landscape. The primary role of a governance officer is to ensure that users have access only to the data necessary for their roles and to eliminate unnecessary or excessive access. The dashboard plays a crucial role in achieving this by offering detailed insights into users, groups, and data access patterns.

Key Components of the Dashboard

1. Directory Service or IAM (Identity Access Management) Box

   • Located on the right side of the dashboard, this box displays the connected directory service, such as Azure Active Directory. The directory service is essential for understanding the organization's employee structure and identity details.

• • Purpose:

    • Provides detailed information about the organization’s users, including:

      • Who the employees are.

      • Which groups they belong to.

      • Differentiation of employment types (e.g., employees vs. contractors).

    • Gives governance officers a clear picture of the employee architecture and user identities by pulling data from the connected directory service.

1. Users

   • Found on the left side of the dashboard, this box shows a breakdown of the total users within the organization.

• • Example:

    • There are a total of 250 users, out of which 206 are employees and 44 are contractors.

  • Purpose:

    • Helps the governance officer quickly identify the distribution of users, facilitating decisions related to data access and policy enforcement.

1. Groups

   • Located in the center of the dashboard, this box provides an overview of the groups within the organization.

• • Example:

    • After scanning, the system identifies 16 groups.

  • Purpose:

    • Shows the different groups to which users are assigned, aiding in the management and assignment of access controls.

1. Sensitive Objects Across Departments

   • The Sensitive Objects Across Departments section of the Governance Module Dashboard provides a graphical representation of the most sensitive data sources within the organization.

   • This section is crucial for governance officers to understand which data repositories hold the most sensitive information and how that data is distributed across different departments.

   • The dashboard highlights the top 5 data sources where sensitive objects are stored. These data sources are ranked based on the level of sensitivity and the volume of sensitive data they contain. There are 643 Highly Sensitive objects.

5. Users Having Access to Entity Data

• The Users Having Access to Entity Data section of the Governance Module Dashboard provides a graphical representation of the types of users who have access to various entities within the system.

This section displays a breakdown of users by type who have access to entity data within the organization:

• Total Users with Access: The dashboard indicates that there are 191 employees and 43 contractors with access to entity data.

• Entities in the System: These users collectively have access to approximately 115,000 entities in the system. Entities could include files, documents, records, or any structured or unstructured data objects within the organization.

6. Unresolved Alerts

The Unresolved Alerts section of the Governance Module Dashboard highlights critical alerts that have yet to be addressed according to the organization's data governance policies. This section is crucial for governance officers to identify and act on potential security risks or policy violations.

• In the current view, the dashboard shows that Christine What from the Engineering Department has access to sensitive information, specifically Customer USA Social Security Number (SSN) data. This access is considered a potential policy violation, as it may not align with the organization’s guidelines regarding who should have access to such sensitive information.

Users

When navigating to the User section via the left-side panel of the Governance Module Dashboard, a detailed view is presented, showcasing the list of users who have access to sensitive data.

This window is a critical tool for governance officers to monitor and manage data access across the organization.

Overview of the User Access Window

• Total Employees and Contractors with Access: The window displays a breakdown of all users with access to sensitive data:

  • Out of the 206 total employees, 30 employees have access to high-privilege data.

• • Out of the 44 contractors, 7 contractors have access to high-privilege data.

• Departmental Distribution: These users are spread across 10 different departments within the organization, illustrating how sensitive data access is distributed among various organizational units.

• Within the Users dashboard of the Governance Module, there is also a detailed department-wise bifurcation that highlights employees who have access to high-privilege data. This breakdown is crucial for governance officers to understand the distribution of sensitive data access across different departments within the organization.

By clicking on a department, such as Engineering, within the Users dashboard, you gain access to a detailed view of all employees in that specific department who have access to sensitive data. This section provides governance officers with granular information about data access within each department, allowing for more focused management and oversight.

Overview of the Department-Specific Access View

• Employee List: A comprehensive list of all employees and contractors within the selected department is displayed. This list provides detailed insights into individual data access levels.

• Access Level: For each individual, the table indicates their access level — Low, Medium, or High — which is determined based on the sensitivity of the data they can access. This level helps quickly identify users who might pose a greater risk due to their high-privilege access.

• Entities and Data Sources Accessed: The table shows the following information for each user:

  • Number of Entities Accessed: The total number of data entities that each employee or contractor has access to.

• • Number of Data Sources Accessed: The number of distinct data sources (e.g., SharePoint, Google Drive, Salesforce) each user has access to.

• User Type: The table clearly differentiates between employees and contractors to help governance officers assess the appropriateness of data access levels.

• User View: Accessing User Details

To view detailed information about a specific user, navigate to the Users dashboard and click on the user's name. For example, by clicking on Daniel Sullivan, you can access comprehensive insights regarding their data access profile.

User-Specific Dashboard: User’s Access Details

When you click on a user’s name in the Users Dashboard, you will be directed to a dedicated dashboard that provides a comprehensive overview of his data access details within the organization. In this case we can explore Daniel Sullivan’s access details after clicking on his name. This dashboard gives insights into Daniel's access level, location, employment type, and other critical data, ensuring governance officers can monitor and manage access effectively.

Overview Summary:

• Data Sources: 3 data sources

• Entities: 73 entities

• Attributes: 7 attributes

• Groups: 0 groups

Data Sources Section

• Displays a list of data sources Daniel Sullivan can access, detailing the objects containing sensitive information.

• Shows the total number of objects, entities, and attributes Daniel has access to across each data source, providing granular visibility into his access rights and potential exposure.

Entities Section

• List of Entities Accessible by Daniel Sullivan:

  • Entities at Risk: 73

  • Entity Types: 2 (Human and Organization)

Types of Entities and Risk Assessment:

• Human Entities: 66 entities (all 66 are at risk)

• Organization Entities: 7 entities (all 7 are at risk)

Navigating Human and Organization Entities

• Human Entities:

• • Click on the Human entity type to view a detailed list showing:

    • Entity names (e.g., names of people)

    • Risk status (whether the entity is at risk or not)

    • Entity type

    • Number of data sources, objects, and attributes associated with each entity

Organization Entities:

• Click on the Organization entity type to view a list showing:

  • Names of organizations

  • Risk status

  • Entity type

  • Number of data sources, objects, and attributes linked to each organization

Attributes Section

• Displays the total number of high, medium, or low-sensitive attributes Daniel Sullivan has access to.

• In this case, Daniel has access to 7 medium-sensitive attributes.

• Scrolling further down, you can see all 7 attributes listed with their respective instances, totaling 320 attribute instances. This detailed breakdown helps identify the nature and volume of data Daniel Sullivan has access to, which could indicate areas of potential risk.

Sensitive Objects Dashboard

By selecting Sensitive Objects from the left panel, you are taken to a dashboard that provides a comprehensive overview of data access across various data sources, highlighting potential security risks and governance issues. This dashboard is critical for identifying and managing sensitive data that may be improperly exposed or excessively accessible within the organization.

Overview of the Sensitive Objects Dashboard

• Open Access: The dashboard indicates that there are 4 data sources where sensitive objects have open access, meaning these objects are accessible by all users within the organization. This presents a significant risk, as sensitive information may be exposed to individuals who do not require access to perform their duties.

• Excessive Access: Another key insight is that there are 4 data sources with excessive access. This means more users have access than is permitted by the organization's data governance policies. Excessive access can increase the likelihood of data breaches or misuse of sensitive information.

• Cross-Department Access: The dashboard also shows 4 data sources with cross-department access. This highlights cases where sensitive data is accessible by users from multiple departments, potentially leading to unnecessary exposure of data between different organizational units.

This section offers insights into the volume and distribution of sensitive objects within the organization, allowing governance officers to assess data exposure and manage access more effectively.

Breakdown of Sensitive Objects

1. All Objects:

   • Total: The dashboard shows a total of 50T objects across the four data sources, representing all the sensitive data currently identified.

   • LB SharePoint: Contains 5.8K objects. This represents a significant portion of sensitive data, requiring careful monitoring and governance due to its widespread use.

   • LB OneDrive: Has 493 objects. While smaller in number compared to SharePoint, these objects still require scrutiny to ensure appropriate access controls.

   • LB SharePoint Label: Shows 83 objects. These are objects that are specifically labeled or classified under certain data governance rules, indicating they may require special handling or access restrictions.

   • LB GDrive Demo: Contains 5K objects, which also represents a considerable amount of data, particularly if sensitive information is stored or shared externally.

Open Access section of the Sensitive Objects dashboard provides detailed information on sensitive data objects that are currently accessible by all users within the organization. Open access can present a significant security risk, as it allows potentially sensitive information to be viewed or modified by any employee, regardless of their role or department.

Breakdown of Objects with Open Access

• LB SharePoint:

  • 97 objects have open access. These are sensitive data files or documents on the SharePoint platform that are accessible by all users. This highlights a potential vulnerability, especially if these objects contain critical or sensitive information.

• LB OneDrive:

  • 55 objects have open access. Similar to SharePoint, these objects are widely accessible, increasing the risk of data leakage or unauthorized modifications.

• LB SharePoint Label:

  • 16 objects with open access. These objects, specifically labeled under certain data governance rules, are exposed to all users, which may violate data privacy or security policies.

• LB GDrive Demo:

  • 101 objects with open access. This represents a significant amount of data on Google Drive that is currently not restricted, posing a risk of sensitive information being accessed or shared improperly.

1. Open Access

Open Access section of the Sensitive Objects dashboard provides detailed information on sensitive data objects that are currently accessible by all users within the organization.

Breakdown of Objects with Open Access

• LB SharePoint:

  • 97 objects have open access. These are sensitive data files or documents on the SharePoint platform that are accessible by all users. This highlights a potential vulnerability, especially if these objects contain critical or sensitive information.

• LB OneDrive:

  • 55 objects have open access. Similar to SharePoint, these objects are widely accessible, increasing the risk of data leakage or unauthorized modifications.

• LB SharePoint Label:

  • 16 objects with open access. These objects, specifically labeled under certain data governance rules, are exposed to all users, which may violate data privacy or security policies.

• LB GDrive Demo:

  • 101 objects with open access. This represents a significant amount of data on Google Drive that is currently not restricted, posing a risk of sensitive information being accessed or shared improperly.

3. Objects with Excessive Acces

The Objects with Excessive Access section of the Sensitive Objects dashboard highlights data objects that have more access granted than is deemed necessary or appropriate under organizational policies. Excessive access can lead to increased risks of data breaches, unauthorized modifications, or misuse, making it crucial for governance officers to identify and mitigate these risks promptly.

Objects with Excessive Access

The Objects with Excessive Access section of the Sensitive Objects dashboard highlights data objects that have more access granted than is deemed necessary or appropriate under organizational policies. Excessive access can lead to increased risks of data breaches, unauthorized modifications, or misuse, making it crucial for governance officers to identify and mitigate these risks promptly.

Breakdown of Objects with Excessive Access

• LB SharePoint:

  • 159 objects have excessive access. These are sensitive objects within SharePoint that have been accessed by more users than permitted by the organization’s access control policies. This could include cross-departmental access or access by employees who do not have a legitimate business need.

• LB OneDrive:

  • 23 objects have excessive access. Although the number is smaller compared to SharePoint, these objects may still pose a risk if sensitive information is unnecessarily accessible to a larger group of users.

• LB SharePoint Label:

  • 12 objects have excessive access. Despite being specifically labeled under data governance rules, these objects are accessed excessively, which may conflict with security guidelines or regulatory requirements.

• LB GDrive Demo:

  • 411 objects have excessive access. This represents a significant number of objects within Google Drive that have access beyond what is necessary, indicating a potential vulnerability in data security practices on this platform.

4. Cross-Department Access

The Objects with Cross-Department Access section of the Sensitive Objects dashboard reveals data objects that are accessible across multiple departments, which may not always be necessary or appropriate. Cross-department access can expose sensitive information to employees who do not have a legitimate business need, increasing the risk of data leaks, misuse, or compliance violations.

Breakdown of Objects with Cross-Department Access

• LB SharePoint:

  • 495 objects have cross-department access. This represents a significant number of sensitive data objects on the SharePoint platform that are accessible by users from different departments, potentially creating security risks or policy violations.

• LB OneDrive:

  • 43 objects have cross-department access. While fewer in number, these objects still pose a risk if they contain sensitive information that should be restricted to specific teams or departments.

• LB SharePoint Label:

  • 13 objects with cross-department access. These are objects that, despite being labeled under specific governance rules, are accessible by users across different departments, which might violate data access policies.

• LB GDrive Demo:

  • 453 objects have cross-department access. This indicates a substantial number of sensitive objects on Google Drive that are accessible to multiple departments, which could lead to unintended data exposure or security incidents.

Exploring Sensitive Objects: Access Details

In the Sensitive Objects dashboard, you can dive deeper into the details of objects with open, excessive, or cross-departmental access by selecting specific data sources.

Open Access Details for a Data Source

• Example: LB SharePoint

  • Clicking on LB SharePoint will provide an overview of sensitive objects and their access status within this data source:

    • Open Access: 97 objects with 70 owners.

    • Excessive Access: 159 objects with 84 owners.

    • Cross-Department Access: 495 objects with 77 owners.

Viewing Object Owners and Access Details

• In the All Objects section of this dashboard:

  • You can see the names of owners and the number of objects they have access to.

  • Clicking on Open Access shows all owners who have open access to objects within the selected data source.

  • Similarly, selecting Excessive Access or Cross-Department Access reveals lists of all owners with those specific access types.

Inspecting a Specific Owner's Access

• Example: Open Access Section

  • Click on an owner, such as Paul Robinson, to view detailed information about the objects he has access to within the LB SharePoint data source.

• • You will see:

    • Objects: A list of all objects Paul Robinson has access to.

    • Level of Data Privilege: The sensitivity level of data (e.g., Low, Medium, High) associated with each object.

    • Attribute Types and Numbers: The types and count of attributes that Paul Robinson can access.

    • Number of Entities: How many entities are associated with these attributes.

Accessing Governance Module Through Datasources Dashboard

The Governance of a specific Datasource feature in the LightBeam dashboard offers a detailed view of access control and data distribution across various data sources, allowing governance officers to monitor and manage data access effectively.

Accessing the Governance Details

Navigate to the Data Source Section:

• Open the Data Source section in the LightBeam dashboard.

• Search for the data source you want to investigate (e.g., LB SharePoint).

• Click on the data source name (LB SharePoint in this case).

View the Governance Information:

• Scroll down to find the Governance of the Data Source on the right side.

• This section presents a graphical representation of the data source's governance status.

Understanding the Governance Graph

• User Access: The dashboard shows that LB SharePoint is accessible to 230 users.

• Object Count: There are 46K objects under this data source.

• Access Levels: A bar graph provides a breakdown of the different levels of access (e.g., open access, excessive access, cross-departmental access) for these objects.

  • You can hover over each bar in the graph to see the specific number of objects at that level of access. For example:

    • 97 objects with open access.

    • 159 objects with excessive access.

    • 495 objects with cross-department access.

Navigating the Governance Dashboard

• You can also click on a bar (such as the open access bar) to be redirected to a more detailed governance dashboard for this data source.

  • Here, you will see:

    • The number of users (e.g., 234 users) with access to this data source, including a breakdown of high data privilege users versus others.

    • A bifurcation by employee type (e.g., employee or contractor) and groups.

• • On the right, a box named Entities Data Access by Users (Sensitive) shows users who have access to sensitive files containing entity data.

Scroll down to find:

• A graphical representation of Objects with Open Access (Sensitive).

• To the right, Objects with Excessive Access (Sensitive).

• Further down, Objects with Cross Department Access (Sensitive).

• Each section highlights the top 5 departments with these access issues.

The Unresolved Alerts section on the bottom right of the Governance Dashboard provides critical insights into potential access violations and security risks within the organization.

Viewing Unresolved Alerts

• The Unresolved Alerts section lists alerts where access policies have been breached but have not yet been resolved.

• For example, it shows an alert indicating that Christine What from the Engineering Department has access to Customer USA Social Security Number (SSN) information, which may not align with organizational access policies.

To further investigate an alert, you can click on "View Details". This action will take you to a more detailed view, where you can understand the nature of the alert (e.g., who accessed what data and why it is flagged as sensitive).