Managed host deployment
A managed host is any network object that can host resources and can be assigned an agent to monitor security and resource activity. Currently supported hosts include Windows computers, Windows clusters, NetApp storage devices, EMC storage devices, DFS, and SharePoint farms.
You can also add generic managed hosts (Server Message Block (SMB) shares running on any Active Directory joined computer) to remotely scan their resources.
The following commands are available to you to deploy managed hosts. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.
Table 81: Managed host deployment commands
Add-QDfsManagedHost |
Register a domain-based distributed file system root. This enables you to view and manage the access on resources that are physically distributed throughout your network. |
|
Add-QManagedHostByAccountName |
Add a managed host to your deployment and configure its settings.
NOTE: This cmdlet does not support adding Cloud managed hosts. |
|
Clear-QResourceActivity |
Clear the resource activity for a given managed host. This enables you to remove activity data from the database on demand when it is no longer required.
For scheduled activity cleanup, use the activity compression/deletion settings in the Data Governance server configuration file instead.
NOTE: Once you clear the activity, it cannot be recovered. |
|
Get-QHostsforTrustee |
View a selected user or group’s access on all managed hosts in your environment. |
|
Get-QManagedHosts |
View a list of all the managed hosts in your deployment.
NOTE: If you are interested in only one managed host, you can specify the host's name or the ID (GUID format) of the managed host. You can also specify all the managed hosts in a particular container. |
|
Remove-QManagedHost |
Remove a managed host from your deployment. |
|
Set-QManagedHostProperties |
Change the properties of a managed host.
NOTE: You must know the managed host ID |
|
Set-QManagedHostUpdated |
Inform the Data Governance server that the managed host state should be updated. |
|
Trigger-QDfsSync |
By default the Data Governance server synchronizes the DFS structure into the One Identity Manager database every 24 hours. Use this cmdlet to force a DFS synchronization of a DFS managed host, making the DFS path immediately available within the Resource browser.
NOTE: You must specify the ID (GUID format) of the managed host to be synchronized. To synchronize all of the DFS managed hosts in your deployment, set the ManagedHostID to All. |
|
Account access management
As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.
The following commands are available to you to manage account access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.
Table 82: Account access management commands
Get-QAccountAccess |
View where users and groups have access on a managed host.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
Get-QAccountAccessOnHosts |
View the resource access for a given account (Domain\SAMAccountName) across all available hosts.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
Get-QAccountActivity |
View the activity associated with a user on a managed host.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
Get-QAccountAliases |
View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access. |
Get-QAccountsForHost |
View all account access for a specific managed host. |
Get-QADAccount |
View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup. |
Get-QGroupMembers |
View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource. |
Get-QIndexedTrustees |
View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee. |
Resource access management
A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.
The following commands are available to you to manage resource access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.
Table 83: Resource access management commands
Export-QResourceAccess |
Export the security information on a selected resource. |
Get-QChildResources |
View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares.
In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
Get-QFileSystemSearchResults |
Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once. |
Get-QHostResourceActivities |
Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
Get-QPerceivedOwners |
Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.
NOTE: The perceived owner for data is calculated from the resource activity history or security information collected by Data Governance Edition. Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database. |
Get-QResourceAccess |
Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent. |
Get-QResourceActivity |
Retrieve the activity associated with a resource.
NOTE: Resource activity collection (and therefore this cmdlet) is not supported for the following host types:
- Windows Cluster/Remote Windows Computer
- Generic Host Type
- EMC Isilon NFS Device
- SharePoint Online
- OneDrive for Business
|
Get-QResourceSecurity |
View the security on a given resource in the SSDL format. |
Set-QResourceSecurity |
Set security on a given resource.
NOTE: The existing security descriptor is completely replaced. |
Governed data management
Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.
The following commands are available to you to manage governed data. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.
Table 84: Governed data management commands
Get-QDataUnderGovernance |
View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop. |
Get-QPerceivedOwnerPoI |
View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment. |
Get-QSelfServiceClientConfiguration |
View the options that are available for self-service requests within the IT Shop. |
Get-QSelfServiceMethodsToSatisfyRequest |
View the group membership that is required to satisfy an access request.
When employees request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that employee could be added to fulfill their request.
NOTE: This PowerShell cmdlet does not support NFS or Cloud resources (since these types of resources cannot be published to the IT Shop). |
Remove-QDataUnderGovernance |
Remove data from governance.
NOTE: Removing a resource from governance, also removes it from the IT Shop. |
Set-QBusinessOwner |
Set the business owner on a governed resource to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role. |
Set-QDataUnderGovernance |
Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.
You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role. |
Set-QSelfServiceClientConfiguration |
Set the options that are available for self-service requests within the IT Shop. |
Trigger-QDataUnderGovernanceCollection |
Trigger data collection for governed resources for a given managed host. |
Upgrade-QDataUnderGovernanceRecords |
Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.
NOTE: This is a requirement for upgrading to version 6.1.2 or 6.1.3. |