One Identity Data Governance Edition 9.1.1
Release Notes
13 April 2023, 11:10
These release notes provide information about the One Identity Data Governance Edition 9.1.1 release.
For the most recent documents and product information, see the One Identity Manager Data Governance Edition documentation.
Topics:
About this release
One Identity Manager Data Governance Edition enables security administrators and business owners to manage user access to unstructured data on files/folders/shares for Windows Server, NAS devices and SharePoint. It leverages the One Identity Manager platform for providing integrated self-service request portal, segregation of duties policies, attestation and re-certification workflows.
Using Data Governance Edition, IT Administrators are provided with management capabilities that enable them to see who is using data in the organization and how access should be modified to best fit the business. Specifically, they can:
- Examine a file system, SharePoint farm or other supported platforms to see what users and groups have access to it, and modify the access if required.
- Examine a user or group to ensure they have the correct data access.
- Investigate access for a user in a particular role within your organization to help grant the same access to a new hire.
- Evaluate a group’s access before deleting it.
- Compare account access and simulate the addition and removal of users or groups from groups.
- Calculate perceived owners to identify potential business owners for data within your environment.
- Place data under governance and leverage the self-service requests, attestations, policies, and reports that help you to ensure your data is in compliance.
Through workflows that cross both the Manager and the Web Portal, users can:
- Manage access to and governance of Windows Server, NAS devices, SharePoint resources, and certain Cloud resources.
- Perform access modeling to compare user accounts/groups to identify the impact of adding/removing users to/from groups and identify why employees in the same department have different access rights.
- View how access was achieved, who requested it, who approved or denied it. This information is useful to verify during the attestation process.
- Define access policies including Separation of Duties to assist in fulfilling security and compliance requirements around data protection.
- Manage access as a business owner, an administrator or a security officer through dashboards and views.
-
Review user and resource activity to identify patterns of usage, spot atypical behavior, and determine business owners to ensure that users have only the access to what they absolutely need, and nothing more.
- Use an access request workflow which allows business owners to grant or deny resource access and recommend a group for fulfillment from the list of best fit groups suggested by the system – thereby improving efficiency and reducing IT burden.
- Identify data without owners, suggest potential business owners, and allow compliance teams to schedule a process for business owners to verify and attest to employee access as well as enable the immediate remediation.
- Access pre-defined reports to help you identify, summarize, and analyze resource and account access and activity throughout your organization.
Data Governance Edition 9.1.1 is a minor release that provides compatibility with One Identity Manager 9.1.1.
For a full list of target systems that can be scanned, see Supported target systems
New features in Data Governance Edition 9.1.1:
See also:
The following is a list of issues addressed in this release.
This release contains all resolved issues since the general release of One Identity Data Governance Edition 9.1.1.
Table 1: Resolved issues
Fixed the error: “No groups were found that match the requested access” in Web Designer Web Portal when trying to select alternative Active Directory groups for approving a resource access request. |
304997 |
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 2: General known issues
Data Governance Edition does not handle computer name changes automatically. If a computer's name is changed after it has been registered as a managed host, some functions will not operate correctly. If a managed host computer is renamed, it must be removed and added again with the new name. |
42129 |
Table 3: Installation and upgrade known issues
If you use the MSIExec.exe command to install the Data Governance server to a non-default location, you will be required to perform future upgrades to the server in the same manner. If the installation path is not specified when the upgrade is performed, the custom installation is removed and the new version is installed to the default location of %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition. |
313477 |
Upgrading the Data Governance server reverts the "run as" of the server service to Local System. The service must be reinstalled running as the previously configured account.
To resolve this issue, when installing the new version of the Data Governance server, leave the installer Retry/Cancel dialog open when prompted, run the Service Control Manager, and switch the account on the Data Governance server from local system back to the original service account. Then click Retry in the installer dialog, and the installation should complete successfully. |
359129 |
The Data Governance Configuration wizard is not detecting the existing Resource Activity database name. If you are not using the default name for your Resource Activity database, on an upgrade you must enter the "custom" database name on the Data Governance activity database page of the Data Governance Configuration wizard. |
592431 |
After upgrading the Data Governance service to version 8.0, existing agents will initially connect; however, after an agent restart, they will no longer connect, displaying a "Waiting to connect" state, and must be upgraded. |
|
Table 4: Resource activity known issues
If a volume is mounted as a drive letter and as a folder path, and changes are made through the folder path - the Activity reports show the drive letter as the path for activity. |
148588 |
The SharePoint system account will be automatically filtered from resource activity. |
320562 |
When you restart a NetApp filer, the Data Governance agents scanning that filer must also be restarted as they do not automatically register the required FPolicy. |
417143 |
Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts. |
629701 |
EMC VNX activity collection is not supported for devices with multiple CIFS exposed virtual data movers. |
|
EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent. |
|
If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition. |
|
When integrating with Change Auditor version 6.9.x, no activity is being reported in Data Governance Edition.
There is a Change Auditor 6.9 hotfix now available to fix this integration. Please contact One Identity technical support for the latest Change Auditor hotfix. |
|
Table 5: SharePoint known issues
The SharePoint account SHAREPOINT\system displays in Account access as NULL SID. |
202555 |
In the Group Memberships tab, the location for SharePoint groups displays the URL instead of the friendly path for the group. |
213029 |
In the Accounts view, renamed SharePoint groups do not show the new name after a rescan. |
213906 |
When creating a new site collection on a farm where the SharePoint Auditing farm solution is enabled, you may see an error indicating that the farm solution is already activated. If this occurs, re-create the site collection. |
215381 |
Exceptions occur during security index scans if web app policy denies rights to a farm account, even if the web app is not a selected security index root. |
253558 |
Once data is placed under governance, a user or group's Limited access permission will be changed to the AllowRead permission. |
271856 |
Retrieval of security for SharePoint hidden lists (such as Converted Forms) through Data Governance Edition may incorrectly list the security for its parent folder regardless of inheritance. |
314472 |
For SharePoint 2010 farms, you may need to wait several minutes during agent install before managed paths can be successfully configured. |
388288 |
For SharePoint 2010, initial scans do not occur as expected if there is a delay in setting dataroots for newly deployed managed hosts.
Workaround: Wait for the scan schedule to lapse or restart the agent. |
418369 |
SharePoint and Windows security scans add nested groups to the security index. The default behavior is to add an entry for every trustee that has been found to be directly ACL'd on a managed host. The SharePoint and Windows security scan behavior does not cause any harm, it is simply inconsistent with the expected behavior. |
598090 |
Running Manage Access on a user/employee with a SharePoint user account type in the Security Index view logs an error: Requested value 'domain\user' was not found.
Workaround: Run another SharePoint synchronization. |
667557 |
In the web portal, the target accounts picker accessed from the "Edit subscription settings" window for an Account Access report shows the Claims Identity for SharePoint resources instead of the employee name. |
675807 |
Table 6: Object naming known issues
Data Governance Edition may incorrectly represent the names of certain Built-in groups, such as Administrators and Power Users, if these groups have been renamed.
This does not affect the underlying functionality of Data Governance Edition, just the display names of these groups. |
114243 |
Table 7: Machine local groups known issues
If a machine local user or group is renamed after it has been originally added to the Data Governance index, any subsequent name changes will not be properly reflected in the client. |
70422 |
Table 8: Agent known issues
Network configuration changes may not be reflected in the agent connection information. If the network configuration of a managed host changes such that outgoing connections become blocked, the agent on that computer may be incorrectly reported as operating in Active mode. Additionally, queries against this agent may not be processed. To resolve this situation, restart the agent to renegotiate the connection. |
45912 |
If you attempt to export an agent log from a client, ensure the agent state is set to OK. If the state is not set to OK, the process will fail.
Workaround: Go to the agent installation directory, right-click the DataGovernance.Agent.exe.dlog file for the agent in question, and choose Copy. |
178061 |
Table 9: Managed paths (formerly referred to as Security index roots) known issues
When deploying remote agents, it is sometimes possible to select roots that the specified service account cannot access. Ensure that the service account being selected for agent deployment can read the target. |
110236 |
C$ and ETC$ are not valid as managed paths for NetApp filers. |
177265 |
Table 10: Security modifications known issues
Removal of inherited and explicit entries in the security editor should be performed as two separate operations. When removing permissions in the security editor, if both explicit and inherited permissions are present in the selection, you will be prompted to confirm how to remove the inherited permissions. If the Copy from Parent option is selected, the permissions originally selected for removal will not be removed. A subsequent removal of the explicit permissions will properly remove the rights. |
99724 |
Do not manipulate security on the computer's recycle bin as this can cause consistency issues with the content of the recycle bin itself. |
105477 |
Adding machine local objects to a folder ACL on a NetApp filer using the Data Governance security editor is not supported. When navigating to a folder using a share path through the Resource browser or security editor, attempting to add a machine local ACE from the filer on the folder ACL will fail. |
154142 |
You may receive an error when editing security, through the Manage Access view, for renamed resource on devices with a configured scanning schedule. It is recommended to use the Resource browser to complete this action. |
215371 |
Table 11: Reporting known issues
Local reads of .txt files using notepad – no read event appears on activity reports. Account Activity and Resource Activity reports include events as they are conveyed by the system where the activity occurred. In some instances, certain applications do not report events as they may be expected by the user. This is the expected behavior of the application and Data Governance Edition, in most cases, is limited by what is reported by the operating system. |
149909 |
If agents are not in an OK or Data available state, data from these agents will not be included in reports. |
369565 |
Data Owners vs. Perceived Owners report in web portal does not allow you to select the root folder of a DFS link, therefore, the report can not be generated for that folder.
Workaround: Select the root folder using the Grid view instead of the Tree view in the web portal. |
648054 |
Table 12: Group membership known issues
Domain Built-in groups may not show access points on any managed host when selected from the tree view in the detailed Accounts view. To see this information, you must select the Built-in Group and run a Manage Access query that will return information on the Built-in group. |
155748 |
Table 13: Built-in users known issues
Only well-known accounts (such as Everyone and Authenticated Users) are returned when the Built-in filter is selected. Other Built-ins, such as administrators and users, are returned as groups. |
109347 |
Table 14: NetApp managed host known issues
Cloning an account on a NetApp managed host is not supported. |
208968 |
Adding rights to a folder on a NetApp managed host is not supported. |
208975 |
If you wish to collect security changes from your NetApp filer using Change Auditor, and you are also using Data Governance Edition to collect activity, you must disable cifs_setattr on the Data Governance FPolicy. In addition, you should not select to collect real-time security updates in Data Governance Edition. NetApp will not send the security change to more than one FPolicy. |
262027 |
Table 15: Shared managed resource process known issues
Configuration in a cross domain/forest scenario: In order to create the shared folder, the service account for the One Identity Manager job service requires extended permissions on the managed host server in the other domain/forest where the share root resides. That is, this service account requires permissions to create the share and add the groups to the share. |
520543 |
Table 16: Governed data attestation known issues
The Governed Data: Resource security deviation attestation shows no selected objects. That is, in the Manager when you select Change master data | Run attestation cases for single objects for a governed resource that has security deviations from its parent folder, the expected objects are not listed on the Run attestation cases for single objects dialog. |
647709 |
Table 17: Cloud managed host known issues
Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work. |
|
OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder. |
|
Table 18: Identity Manager Application Server known issues
Unable to assign user (Active Directory, UNS, SharePoint) accounts to an employee from Employees view in the Manager client when logged in through the Application Server.
Workaround: In some situations, using an Application Server connection with the Manager may not function as expected. Switching temporarily to a direct database connection should allow the function to succeed. |
678767 |
Table 19: Third-party known issues
Windows 2008 |
Unable to install an agent on a computer running Windows 2008.
To resolve this issue, download and install the VeriSign Class 3 Primary CA -G5 certificate in the local certificate store on the required target computers. The download is available here: https://www.symantec.com/page.jsp?id=roots. |
352646 |
Windows Server 2012/2012 R2 |
Agents used to scan an EMC or NetApp filer cannot be hosted on Windows Server 2012 or 2012 R2. When the Data Governance server is hosted on Windows 2012/2012 R2, you cannot browse resources or set managed paths for the EMC or NetApp managed host. This is related to a known issue with Windows Server 2012/2012 R2.
Workaround: Use an alternative supported operating system to host the agent to scan the EMC or NetApp filer or set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force
For more details on the known issue, see http://support.microsoft.com/kb/2686098. |
272220 |
Agent cannot access EMC or NetApp shares. After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2 or Windows 8, a "Windows cannot access <machine>" network error appears when attempting to access a share on the NAS device using the file explorer. The root cause is likely due to an incompatibility between your NAS device and SMB 2.0.
Workaround: Upgrade the FLARE code on your NAS device with support for SMB 2.2. If that is not feasible, disable SMB 2 in Windows Server 2012/2012 R2 or Windows 8.
For more details on the known issue and the proper solution, see http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/ |
596797 |
NetApp |
Local user accounts created on a NetApp filer with a password longer than 14 characters, will not be included in the indexed information sent to the Data Governance server. |
204302 |
Table 20: DFS host known issues
Unable to browse a DFS link in the Manager application, when the DFS link belongs to a DFS host whose Active Directory domain has a non-conventional NetBIOS name (NetBIOS name can’t be extracted from the domain’s name).
Workaround: Edit the ‘DisplayValue’ of the managed DFS host in the ‘QAMNode’ table in the database. Replace the non-conventional NetBIOS name in the ‘DisplayValue’ with the domain name (without the parent-domain or top-level domain). |
275342 |