Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.4 - Release Notes

One Identity Data Governance Edition 8.1.4

One Identity Data Governance Edition 8.1.4

Release Notes

October 2020

These release notes provide information about the One Identity Data Governance Edition 8.1.4 release.

Topics:

About this release

One Identity Manager Data Governance Edition enables security administrators and business owners to manage user access to unstructured data on files/folders/shares for Windows Server, NAS devices and SharePoint. It leverages the One Identity Manager platform for providing integrated self-service request portal, segregation of duties policies, attestation and re-certification workflows.

Using Data Governance Edition, IT Administrators are provided with management capabilities that enable them to see who is using data in the organization and how access should be modified to best fit the business. Specifically, they can:

  • Examine a file system, SharePoint farm or other supported platforms to see what users and groups have access to it, and modify the access if required.
  • Examine a user or group to ensure they have the correct data access.
  • Investigate access for a user in a particular role within your organization to help grant the same access to a new hire.
  • Evaluate a group’s access before deleting it.
  • Compare account access and simulate the addition and removal of users or groups from groups.
  • Calculate perceived owners to identify potential business owners for data within your environment.
  • Place data under governance and leverage the self-service requests, attestations, policies, and reports that help you to ensure your data is in compliance.

Through workflows that cross both the Manager and the Web Portal, users can:

  • Manage access to and governance of Windows Server, NAS devices, SharePoint resources, and certain Cloud resources.
  • Perform access modeling to compare user accounts/groups to identify the impact of adding/removing users to/from groups and identify why employees in the same department have different access rights.
  • View how access was achieved, who requested it, who approved or denied it. This information is useful to verify during the attestation process.
  • Define access policies including Separation of Duties to assist in fulfilling security and compliance requirements around data protection.
  • Manage access as a business owner, an administrator or a security officer through dashboards and views.
  • Review user and resource activity to identify patterns of usage, spot atypical behavior, and determine business owners to ensure that users have only the access to what they absolutely need, and nothing more.

  • Use an access request workflow which allows business owners to grant or deny resource access and recommend a group for fulfillment from the list of best fit groups suggested by the system – thereby improving efficiency and reducing IT burden.
  • Identify data without owners, suggest potential business owners, and allow compliance teams to schedule a process for business owners to verify and attest to employee access as well as enable the immediate remediation.
  • Access pre-defined reports to help you identify, summarize, and analyze resource and account access and activity throughout your organization.

Data Governance Edition 8.1.4 is a minor release that provides compatibility with One Identity Manager 8.1.4.

For a full list of target systems that can be scanned, see Supported target systems

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 1: General known issues
Known Issue Issue ID

Data Governance Edition does not handle computer name changes automatically. If a computer's name is changed after it has been registered as a managed host, some functions will not operate correctly. If a managed host computer is renamed, it must be removed and added again with the new name.

42129

Table 2: Installation and upgrade known issues
Known Issue Issue ID

If you use the MSIExec.exe command to install the Data Governance server to a non-default location, you will be required to perform future upgrades to the server in the same manner. If the installation path is not specified when the upgrade is performed, the custom installation is removed and the new version is installed to the default location of %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition.

313477

Upgrading the Data Governance server reverts the "run as" of the server service to Local System. The service must be reinstalled running as the previously configured account.

To resolve this issue, when installing the new version of the Data Governance server, leave the installer Retry/Cancel dialog open when prompted, run the Service Control Manager, and switch the account on the Data Governance server from local system back to the original service account. Then click Retry in the installer dialog, and the installation should complete successfully.

359129

The Data Governance Configuration wizard is not detecting the existing Resource Activity database name. If you are not using the default name for your Resource Activity database, on an upgrade you must enter the "custom" database name on the Data Governance activity database page of the Data Governance Configuration wizard.

592431
After upgrading the Data Governance service to version 8.0, existing agents will initially connect; however, after an agent restart, they will no longer connect, displaying a "Waiting to connect" state, and must be upgraded.  
Table 3: Resource activity known issues
Known Issue Issue ID

If a volume is mounted as a drive letter and as a folder path, and changes are made through the folder path - the Activity reports show the drive letter as the path for activity.

148588

The SharePoint system account will be automatically filtered from resource activity.

320562

When you restart a NetApp filer, the Data Governance agents scanning that filer must also be restarted as they do not automatically register the required FPolicy.

417143

Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts. 629701

EMC VNX activity collection is not supported for devices with multiple CIFS exposed virtual data movers.

 

EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.

 

If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition.

 

When integrating with Change Auditor version 6.9.x, no activity is being reported in Data Governance Edition.

There is a Change Auditor 6.9 hotfix now available to fix this integration. Please contact One Identity technical support for the latest Change Auditor hotfix.

 

Table 4: SharePoint known issues
Known Issue Issue ID

The SharePoint account SHAREPOINT\system displays in Account access as NULL SID.

202555

In the Group Memberships tab, the location for SharePoint groups displays the URL instead of the friendly path for the group.

213029

In the Accounts view, renamed SharePoint groups do not show the new name after a rescan.

213906

When creating a new site collection on a farm where the SharePoint Auditing farm solution is enabled, you may see an error indicating that the farm solution is already activated. If this occurs, re-create the site collection.

215381

Exceptions occur during security index scans if web app policy denies rights to a farm account, even if the web app is not a selected security index root.

253558

Once data is placed under governance, a user or group's Limited access permission will be changed to the AllowRead permission.

271856

Retrieval of security for SharePoint hidden lists (such as Converted Forms) through Data Governance Edition may incorrectly list the security for its parent folder regardless of inheritance.

314472

For SharePoint 2010 farms, you may need to wait several minutes during agent install before managed paths can be successfully configured.

388288

For SharePoint 2010, initial scans do not occur as expected if there is a delay in setting dataroots for newly deployed managed hosts.

Workaround: Wait for the scan schedule to lapse or restart the agent.

418369

SharePoint and Windows security scans add nested groups to the security index. The default behavior is to add an entry for every trustee that has been found to be directly ACL'd on a managed host. The SharePoint and Windows security scan behavior does not cause any harm, it is simply inconsistent with the expected behavior.

598090

Running Manage Access on a user/employee with a SharePoint user account type in the Security Index view logs an error: Requested value 'domain\user' was not found.

Workaround: Run another SharePoint synchronization.

667557

In the web portal, the target accounts picker accessed from the "Edit subscription settings" window for an Account Access report shows the Claims Identity for SharePoint resources instead of the employee name.

675807

Table 5: Object naming known issues
Known Issue Issue ID

Data Governance Edition may incorrectly represent the names of certain Built-in groups, such as Administrators and Power Users, if these groups have been renamed.

This does not affect the underlying functionality of Data Governance Edition, just the display names of these groups.

114243

Table 6: Machine local groups known issues
Known Issue Issue ID

If a machine local user or group is renamed after it has been originally added to the Data Governance index, any subsequent name changes will not be properly reflected in the client.

70422

Table 7: Agent known issues
Known Issue Issue ID

Network configuration changes may not be reflected in the agent connection information. If the network configuration of a managed host changes such that outgoing connections become blocked, the agent on that computer may be incorrectly reported as operating in Active mode. Additionally, queries against this agent may not be processed. To resolve this situation, restart the agent to renegotiate the connection.

45912

If you attempt to export an agent log from a client, ensure the agent state is set to OK. If the state is not set to OK, the process will fail.

Workaround: Go to the agent installation directory, right-click the DataGovernance.Agent.exe.dlog file for the agent in question, and choose Copy.

178061

Table 8: Managed paths (formerly referred to as Security index roots) known issues
Known Issue Issue ID

When deploying remote agents, it is sometimes possible to select roots that the specified service account cannot access. Ensure that the service account being selected for agent deployment can read the target.

110236

C$ and ETC$ are not valid as managed paths for NetApp filers.

177265

Table 9: Security modifications known issues
Known Issue Issue ID

Removal of inherited and explicit entries in the security editor should be performed as two separate operations. When removing permissions in the security editor, if both explicit and inherited permissions are present in the selection, you will be prompted to confirm how to remove the inherited permissions. If the Copy from Parent option is selected, the permissions originally selected for removal will not be removed. A subsequent removal of the explicit permissions will properly remove the rights.

99724

Do not manipulate security on the computer's recycle bin as this can cause consistency issues with the content of the recycle bin itself.

105477

Adding machine local objects to a folder ACL on a NetApp filer using the Data Governance security editor is not supported. When navigating to a folder using a share path through the Resource browser or security editor, attempting to add a machine local ACE from the filer on the folder ACL will fail.

154142

You may receive an error when editing security, through the Manage Access view, for renamed resource on devices with a configured scanning schedule. It is recommended to use the Resource browser to complete this action.

215371

Table 10: Reporting known issues
Known Issue Issue ID

Local reads of .txt files using notepad – no read event appears on activity reports. Account Activity and Resource Activity reports include events as they are conveyed by the system where the activity occurred. In some instances, certain applications do not report events as they may be expected by the user. This is the expected behavior of the application and Data Governance Edition, in most cases, is limited by what is reported by the operating system.

149909

If agents are not in an OK or Data available state, data from these agents will not be included in reports.

369565

Data Owners vs. Perceived Owners report in web portal does not allow you to select the root folder of a DFS link, therefore, the report can not be generated for that folder.

Workaround: Select the root folder using the Grid view instead of the Tree view in the web portal.

648054
Table 11: Group membership known issues
Known Issue Issue ID

Domain Built-in groups may not show access points on any managed host when selected from the tree view in the detailed Accounts view. To see this information, you must select the Built-in Group and run a Manage Access query that will return information on the Built-in group.

155748

Table 12: Built-in users known issues
Known Issue Issue ID

Only well-known accounts (such as Everyone and Authenticated Users) are returned when the Built-in filter is selected. Other Built-ins, such as administrators and users, are returned as groups.

109347

Table 13: NetApp managed host known issues
Known Issue Issue ID

Cloning an account on a NetApp managed host is not supported.

208968

Adding rights to a folder on a NetApp managed host is not supported.

208975

If you wish to collect security changes from your NetApp filer using Change Auditor, and you are also using Data Governance Edition to collect activity, you must disable cifs_setattr on the Data Governance FPolicy. In addition, you should not select to collect real-time security updates in Data Governance Edition. NetApp will not send the security change to more than one FPolicy. 262027
Table 14: Shared managed resource process known issues
Known Issue Issue ID

Configuration in a cross domain/forest scenario: In order to create the shared folder, the service account for the One Identity Manager job service requires extended permissions on the managed host server in the other domain/forest where the share root resides. That is, this service account requires permissions to create the share and add the groups to the share.

520543

Table 15: Governed data attestation known issues
Known Issue Issue ID

The Governed Data: Resource security deviation attestation shows no selected objects. That is, in the Manager when you select Change master data | Run attestation cases for single objects for a governed resource that has security deviations from its parent folder, the expected objects are not listed on the Run attestation cases for single objects dialog.

647709

Table 16: Cloud managed host known issues
Known Issue Issue ID

Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.

 

OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

 

Table 17: Identity Manager Application Server known issues
Known Issue Issue ID

Unable to assign user (Active Directory, UNS, SharePoint) accounts to an employee from Employees view in the Manager client when logged in through the Application Server.

Workaround: In some situations, using an Application Server connection with the Manager may not function as expected. Switching temporarily to a direct database connection should allow the function to succeed.

678767

Table 18: Third-party known issues
Known Issue Issue ID

Windows 2008

Unable to install an agent on a computer running Windows 2008.

To resolve this issue, download and install the VeriSign Class 3 Primary CA -G5 certificate in the local certificate store on the required target computers. The download is available here: https://www.symantec.com/page.jsp?id=roots.

352646

Windows Server 2012/2012 R2

Agents used to scan an EMC or NetApp filer cannot be hosted on Windows Server 2012 or 2012 R2. When the Data Governance server is hosted on Windows 2012/2012 R2, you cannot browse resources or set managed paths for the EMC or NetApp managed host. This is related to a known issue with Windows Server 2012/2012 R2.

Workaround: Use an alternative supported operating system to host the agent to scan the EMC or NetApp filer or set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force

For more details on the known issue, see http://support.microsoft.com/kb/2686098.

272220

Agent cannot access EMC or NetApp shares. After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2 or Windows 8, a "Windows cannot access <machine>" network error appears when attempting to access a share on the NAS device using the file explorer. The root cause is likely due to an incompatibility between your NAS device and SMB 2.0.

Workaround: Upgrade the FLARE code on your NAS device with support for SMB 2.2. If that is not feasible, disable SMB 2 in Windows Server 2012/2012 R2 or Windows 8.

For more details on the known issue and the proper solution, see http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/

596797

NetApp

Local user accounts created on a NetApp filer with a password longer than 14 characters, will not be included in the indexed information sent to the Data Governance server.

204302

Data Governance Edition system requirements

NOTE: Some of the system requirements for One Identity Manager have changed in version 8.1. Prior to upgrading Data Governance Edition, ensure that the minimum requirements for all of the One Identity Manager components are meet. See the One Identity Manager Installation Guide for full details on One Identity Manager's system requirements.

Before installing Data Governance Edition, ensure that your system meets the following minimum hardware and software requirements.

In addition, ensure that the minimum permissions and communication port requirements are met to ensure proper authentication and communication with Data Governance Edition components.

Data Governance server

The Data Governance server refers to the server where the Data Governance service is installed. This server must meet the following minimum system requirements.

Table 19: Minimum system requirements: Data Governance server
Processor quad core CPU
Memory 16GB RAM
Free drive space 100GB
Operating system

64-bit Windows operating systems:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
NOTE: Only a 64-bit server for Data Governance Edition is supported. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.
Software

.NET Framework 4.7.2

Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen