Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Agents view

Selecting Agents in the Data Governance navigation view populates the Agents result list with all the Data Governance agents deployed in the current Data Governance Edition deployment. Selecting this node also displays the Agents view in the right pane which lists all the agents, including their current status, agent activity and performance.

The following table outlines the default information displayed for each agent deployed in your Data Governance Edition deployment.

Table 8: Agents view: Default layout
Column title Description
Agent Host The name of the host computer running the agent software.
Agent Domain The fully qualified domain name of the domain where the Data Governance agent that is performing the security scan resides.
Managed Host

The name of the host computer being managed.

NOTE: This is the same as the Agent Host for local managed hosts, but different for remote managed hosts.

Service Display Name

The display name of the Data Governance agent service, as displayed by the Service Control Manager, that is performing the security scan.

Agent Version The version of the Data Governance agent software that is currently deployed.
Agent Status The current status of the agent. For more information, see Checking the agent status.
Status Detail The current state of the data from this agent. In addition, this column provides additional information about failed agent installs or managed hosts that are in an error state due to agent issues.
Critical Error Indicates how many critical errors are associated with the agent. For more information, see Viewing agent errors.
Agent Uptime

Indicates how much time has passed since the agent's last restart.

NOTE: Agents can restart for several reasons, including restarts of their host systems, restarts of the agent service itself, or install and upgrade operations on other agents hosted on the same system.

Total Files Size The total size of all the files in the agent instance directory.
Total Scan Time The duration of the last full security scan. This value is not filled in until at least one full scan has been completed.
Scan Items/sec

The average rate of items indexed during the last full security scan.

NOTE: An average performance of less than 1000 items per second can indicate a poor network connection between the agent and its target managed host.

Items Scanned The number of items scanned by the agent during its last full security scan.
Items Stored The number of items stored for this agent since the last full security scan.
Changes Processed

The number of real-time scan updates that have been processed during the scheduled scan.

Changes Enqueued

The number of real-time scan updates that have been queued and are waiting to be applied to the scan data.

Activity Enabled Indicates whether resource activity collection has been enabled on the agent.
Activity Enqueued The number of resource activity records that have been queued and are waiting to get stored and aggregated in the Resource Activity store.
Activity Processed The number of resource activity records that have been processed and stored in the Resource Activity store.
Aggregated Activities

The number of activities recorded by Data Governance Edition, after duplicate events have been removed.

Aggregated activities are based on the granularity you have set on the managed host's Resource Activity page. The less granular the setting, the lower this number is.

Agent Host Type Indicates whether the agent is local (scanning the local computer) or remote (scanning a remote managed host).
Managed Host Type

The physical configuration of the host computer:

  • Distributed File System Root
  • EMC Celerra/VNX Device
  • EMC Isilon Device
  • EMC Isilon NFS Device
  • Generic Host Type
  • NetApp OnTap Cluster Mode CIFS Device
  • NetApp OnTap Cluster Mode NFS Device
  • NetApp OnTap 7-Mode CIFS Device
  • NetApp OnTap 7-Mode NFS Device
  • OneDrive for Business
  • SharePoint Farm
  • SharePoint Online
  • Windows Computer

The following table describes the agent information provided in the SharePoint Metrics layout.

Table 9: Agents view: SharePoint Metrics layout
Column title Description
Agent Host The name of the computer host running the agent software.
Managed Host

The name of the computer host being managed.

NOTE: This is the same as the Agent Host for local managed hosts, but different for remote managed hosts.

Agent Domain

The fully qualified domain name of the domain where the Data Governance agent that is performing the security scan resides.

Service Display Name

The display name of the Data Governance agent service, as displayed by the Service Control Manager, that is performing the security scan.

Agent Version The version of the Data Governance agent software that is currently deployed.
Agent Status The status of the agent. For more information, see Checking the agent status.
Status Detail The current state of the data from this agent.
Agent Uptime

Indicates how much time has passed since the agent's last restart.

NOTE: Agents can restart for several reasons, including restarts of their host systems, restarts of the agent service itself, or install and upgrade operations on other agents hosted on the same system.

Total Files Size The total size of all the files in the agent instance directory.
Critical Error Indicates how many critical errors are associated with the agent. For more information, see Viewing agent errors.
Farm Administrators

The number of farm administrators found on the managed host.

NOTE: This metric only applies to SharePoint managed hosts.

Site Collections

The number of site collections found on the managed host.

NOTE: This metric only applies to SharePoint managed hosts.

Web Application Policies

The number of web application policies found on the managed host.

NOTE: This metric only applies to SharePoint managed hosts.

Unique Item Level Permissions

The number of unique permission level assignments found on the managed host.

NOTE: This metric only applies to SharePoint managed hosts.

Total Scan Time The duration of the last full security scan. This value is not filled in until at least one full scan has been completed.
Item Level Scan Time

The time it took to locate all items that contain unique permissions.

NOTE: This metric only applies to SharePoint managed hosts.

Hierarchy Scan Time

The time it took to scan the content in all site collections found on the managed host.

NOTE: This metric only applies to SharePoint managed hosts.

Scan Items/sec

The average rate of items indexed during the last full security scan.

NOTE: An average performance of less than 1000 items per second can indicate a poor network connection between the agent and its target managed host.

Containers Processed

The number of containers or folders encountered and processed during the scheduled scan.

NOTE: This metric only applies to SharePoint managed hosts.

Items Scanned The number of items scanned by the agent during its last full security scan.
Items Stored The number of items stored for this agent since the last full security scan.
Activity Enabled Indicates whether resource activity tracking has been enabled on the agent.
Activity Enqueued The number of resource activity records that have been queued and are waiting to get stored and aggregated in the Resource Activity store.
Activity Processed The number of resource activity records that have been process and stored in the Resource Activity store.
Aggregated Activities

The number of activities recorded by Data Governance Edition, after duplicate events have been removed.

Aggregated activities are based on the granularity you have set on the managed host's Resource Activity page. The less granular the setting, the lower this number is.

Agent Host Type Indicates whether the agent is local (scanning the local computer) or remote (scanning a remote managed host).
Managed Host Type

The physical configuration of the host computer:

  • Distributed File System Root
  • EMC Celerra/VNX Device
  • EMC Isilon Device
  • EMC Isilon NFS Device
  • Generic Host Type
  • NetApp OnTap Cluster Mode CIFS Device
  • NetApp OnTap Cluster Mode NFS Device
  • NetApp OnTap 7-Mode CIFS Device
  • NetApp OnTap 7-Mode NFS Device
  • OneDrive for Business
  • SharePoint Farm
  • SharePoint Online
  • Windows Computer

In addition to the default columns, you can add the following columns to the view using the Column Chooser command.

NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.

To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.

Table 10: Agents view: Hidden columns
Column title Description
Activity Files Size The total size of all resource activity store files on the agent. These files are deleted upon successful synchronization with the Data Governance server.
Agent ID The unique identifier generated by Data Governance Edition to identify the agent.

Agents view tasks

From the Agents view you can check the current state and manage your Data Governance agents.

NOTE: If you are assigned the Data Governance | Operators role, you will have read-only access to this page and will not be able to perform the tasks listed below.

When an agent is selected in the Agents view, you can perform the following tasks against the selected agent.

Table 11: Agents view: Tasks
Tasks Description For more information
Clear agent errors

Clears the error messages for the selected agent.

NOTE: Task is only available when there are error messages logged for the selected agent.

 
Export agent log Launches the Browse for Folder dialog to specify where to export the agent logs. Exporting agent log
Refresh

Retrieves and displays the latest agent details on the Agents view.

 
Restart agent

Restarts the selected Data Governance agent.

Restarting agents

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options
Upgrade agents

Upgrades the selected agents to the latest version.

NOTE: Task is only available when a newer agent version is available.

 
View agent errors

Launches the event viewer to display all error messages logged for the selected agent.

NOTE: Task is only available when there are error messages logged for the selected agent.

Viewing agent errors
View deviations Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security. Managing security deviations

Security index view

Selecting Security index in the Data Governance navigation view populates the Accounts result list with all accounts that have been given direct security privileges on resources within Data Governance Edition managed hosts (from the security index). Double-clicking an account in the result list displays the Account Overview which is a graphical representation of the information available about the selected account.

Selecting the Security index node also displays the Security index view in the right pane that provides a more complete list of accounts. This view provides details about the following accounts:

  • Accounts that have been given direct security privileges on resources within managed hosts (from the security index).
  • Accounts that do not have explicit permissions on any resources (not included in the security index).

NOTE: An Active Directory synchronization, and if applicable a SharePoint synchronization, must be performed to populate the Security index view. The information included in this view is obtained from the Active Directory Users and Groups, Local Users and Groups, SharePoint Users, Groups and Claims, and Deleted (Orphaned) Active Directory accounts.

Table 12: Security index view: Default layout
Column title Description
Has Explicit Permissions

Indicates whether the account was discovered during an agent's security scan and is included in the security index:

  • No: Securities that do not have explicit permissions on any resources.
  • Yes: Securities that have explicit permissions defined on one or more resources.

NOTE: By default, the view is grouped by the Has Explicit Permissions flag. Click the expansion box to the left of a group, No (No explicit permissions on any resources) or Yes (Has explicit permissions on one or more resources) to display all of the accounts grouped under each grouping.

Account (CN) The canonical name of the account.
Account (SAM Account Name) The logon name (sAMAccountName attribute) for the account.
Account Type

The type of account:

  • Azure AD Group
  • Azure AD User
  • Domain Local Group
  • Domain User
  • Global Group
  • Machine Local Group
  • Machine Local User
  • SharePoint Online Group
  • SP Group (SharePoint Group)
  • SP Identity SharePoint Identity)
  • SP User (SharePoint User)
  • Universal Group
  • Unix Group
  • Unix Owner
  • Unix Other
  • Other

NOTE: The Unix Owner, Unix Group and Unix Other account types are only available when the optional Unix module is installed.

Domain The DNS domain name of the domain.
Associated Employee Name The name of the Employee object associated with the account.

In addition to the default columns, you can add the following columns to the view using the Column Chooser command.

NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.

To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.

Table 13: Security index view: Hidden columns
Column title Description
Security Identifier (SID) The security identifier (SID) assigned to the account.
UID_Person The ID (GUID format) assigned to the Employee associated with the account.
UID_QAMTrustee The ID (GUID format) assigned to the account by Data Governance Edition.

Security index view tasks

When you select an account in the Security index view, the following tasks are enabled that can be run against the selected account to manage the account's access.

Note: These security index tasks are not supported for Unix account types.

Table 14: Security index view: Tasks
Task Description For more information
Account access report

Generates a report displaying the account's resource access across all managed hosts within the enterprise. Selecting this task displays the Account Access dialog allowing you to define the report parameters for running the Account access report.

NOTE: To generate the Account access report for multiple accounts, select multiple rows in the Security index view, right-click and select Account access. The report will contain account access for all selected accounts.

Account access report

Viewing selected reports within the Manager

Account activity report

Generates a report displaying all the activity for the selected account against specific managed hosts. Selecting this task displays the Account Activity dialog allowing you to define the report parameters for generating the Account activity report.

NOTE: This report is not available for groups.

NOTE: This report is not available for Cloud/Office 365 accounts.

Account activity report

Viewing selected reports within the Manager

Account comparison

Displays the Account Comparison view allowing you to compare the resource access of two accounts.

NOTE: This feature is not available for accounts that do not have a Security Identifier (SID) associated with them.

NOTE: This report is not available for Cloud/Office 365 accounts.

Comparing accounts
Account simulation

Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.

NOTE: This feature is not available for accounts that do not have a Security Identifier (SID) associated with them.

NOTE: This feature is not available for Machine Local trustees.

NOTE: This report is not available for Cloud/Office 365 accounts.

Simulating the effects of group membership modifications on an account
Manage access

Displays the Manage Access view that displays the managed hosts where the selected account has access. From here, you can also view detailed group membership information.

NOTE: This feature is not available for accounts that do not have a Security Identifier (SID) associated with them.

Manage access view

Managing account access

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating