Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Managed host configuration options

Managed hosts must be properly configured for security scanning (and resource activity collection, if applicable) to begin. An agent must be configured to communicate with the server and gather resource information. Until this is completed, no security information will be stored or indexed for this computer. Agents are configured when you add or edit a managed host.

  • Real-time security updates in the context of Data Governance Edition refers to the monitoring of changes to the file system caused by create, delete, and rename operations, as well as DACL, SACL and Owner changes, in order to maintain the security index. These real-time security updates are not monitored by default, but can be configured on the Security Scanning page of the Managed Host Settings dialog.

    Note: Enabling real-time security updates for NAS devices requires additional configuration on the NAS device itself. For more information, see Appendix: EMC managed host deployment and Appendix: NetApp managed host deployment.

  • When enabled, resource activity is collected in real time, compressed, and then stored in the Data Governance Resource Activity database. Historical activity data can then be used to calculate a resource's perceived owner and to generate activity-related reports. Use the Resource Activity page of the Managed Host Settings dialog to enable and configure resource activity collection and aggregation.
  • Managed paths will be scanned for security access information and if enabled, for collecting resource activity.

The available configuration settings vary depending on the type of managed host, as shown in the following table. Yes indicates that the settings can be configured.

Table 16: Configurable managed host settings
Managed host type Resource activity Real-time security updates Security scanning Managed paths Service accounts
Local Windows Computer

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

By default, scanning starts immediately once an agent is deployed.

Yes

By default, all NTFS drives are scanned if no managed paths are specified.

No service account is required as the agent runs as the Local System.

Windows Cluster / Remote Windows Computer N/A

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with Local Administrator rights on the managed host. The agent scanning the host runs under the service account.

NetApp 7-Mode and Cluster-Mode CIFS Devices

NetApp 7-Mode and Cluster Mode NFS Devices

Yes

Not collected by default.

Requires FPolicy

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be a member of the local Administrators group on the NetApp 7-Mode filer in order to create FPolicy. This account must also have permissions to access folders being scanned.

EMC CIFS Devices

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

The service account for an agent managing EMC Isilon storage devices, must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

EMC Isilon NFS Devices

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

SharePoint Farm

Yes

Not collected by default.

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)); must be a member of the administrators group on SharePoint server. The agent scanning the host runs under the service account.

Cloud (for example, SharePoint Online)

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account which becomes the agent run as account. This account is not used to connect to the Cloud provider.

Generic

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

Distributed File System

Yes

Not collected by default.

N/A

N/A

N/A

N/A

Related Topics

Managed host settings dialog

Editing managed host settings

Customizing default host settings

Managed host settings dialog

The Managed Host Settings dialog allows you to define the configuration settings for new managed hosts. This dialog appears when you select one of the following tasks from the Managed hosts view:

  • Manage host
  • Manage multiple hosts
  • Manage NFS host
  • Manage Cloud host
  • Edit host settings

This dialog contains the following controls.

Table 17: Managed Host Settings dialog: Controls
Control Description
Managed Host

Specifies the managed host to be added.

  • For local managed hosts, this is a read-only field that displays the name of the host computer selected in the Managed hosts view.
  • For remote managed hosts, including supported EMC and NetApp storage devices with CIFS file system protocol enabled, this is a read-only field that displays the name of the host computer selected in the Managed hosts view.
  • For cloud managed hosts, this field is blank when using the Manage Cloud host task. However, it displays the <DomainName>.onmicrosoft.com host name when using the Edit host settings task.
  • If multiple hosts are selected, <Multiple Managed Hosts> appears in this field.
  • For NFS managed hosts, enter the IP address or fully qualified domain name of the NFS host computer to be managed.
Host Type

Select the type of managed host to be added to the Data Governance Edition deployment.

When using the Manage host or Manage multiple hosts task, the options available depend on the host computer selected in the Managed hosts view. Valid managed host types include:

  • EMC Celerra/VNX Device
  • EMC Isilon Device
  • Generic Host Type
  • Local Windows Computer
  • NetApp OnTap Cluster Mode CIFS Device
  • NetApp OnTap 7-Mode CIFS Device
  • SharePoint Farm
  • Windows Cluster/Remote Windows Computer

When using the Manage NFS host task, you must select one of the following host types:

  • EMC Isilon NFS Device
  • NetApp Cluster NFS Device
  • NetApp 7-Mode NFS Device

When using the Manage Cloud host task, you must select one of the following host types:

  • SharePoint Online
  • OneDrive for Business

When using the Edit host settings task, this is a read-only field that specifies the type of host.

Agent Install Path

By default, the agent will be installed in the Data Governance Server installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

When you deploy an individual agent, you can use this field to specify an alternate agent installation. To specify an alternate installation directory, enter a local path (for example C:\Mypath) that does not exceed 512 characters.

NOTE: If there is an existing agent on the machine, you cannot install another agent with a different installation directory. All agents must be installed in the same directory.

NOTE: If required, use the Customize default host settings task to define an alternate default installation directory for deploying new agents. When you opt to set the installation directory for an individual agent using the Agent Install Path field on the Managed Host Settings dialog, it will take precedence over the default agent installation location defined on the Customize default host settings dialog.

Keywords (Optional) Enter a keyword which can then be displayed and used to group your managed hosts on the Managed hosts view.
NIS Host

Use the NIS Host page to select the Network Information Systems (NIS) server whose users and groups have been synchronized with One Identity Manager.

NOTE: This page only applies to NFS managed hosts.

For more information, see NIS Host page.

Credentials page

Use the Credentials page to provide user credentials that can establish a connection with the NAS device.

  • For NetApp hosts, the user must have the "ontapi" User Login Method application.
  • For EMC hosts, this account must have the "Platform API" privileges applied.

NOTE: This page only applies to NFS managed hosts and NetApp OnTap Cluster Mode CIFS managed hosts.

For more information, see Credentials page.

Cloud Provider

The Cloud Provider page indicates if you are successfully authenticated with the Data Governance Edition API cloud proxy and can also be used to re-authenticate to the cloud proxy.

NOTE: This page only applies to Cloud managed hosts.

For more information, see Cloud Provider page.

Agents page

Use the Agents page to configure the agents to be used to monitor a remote managed host or SharePoint managed host.

NOTE: This page only applies to remote managed hosts and SharePoint managed hosts.

For more information, see Agents page.

Managed Paths page

Use the Managed Paths page to define the paths to be managed by Data Governance Edition. These managed paths will be scanned for security access information and if enabled, for collecting resource activity.

Click the Add button to display the Managed Paths Picker dialog, where you can then navigate to and select the paths to be scanned.

For more information, see Managed paths page.

Security Scanning page

Use the Security Scanning page to set the schedule and settings for scanning agents for changes to the structure and security of the file system.

For more information, see Security Scanning page.

Resource activity page

Use the Resource Activity page to configure the collection and aggregation of resource activity for the target managed host.

NOTE: Not available for Windows Cluster/Remote Windows Computer, Generic, or Cloud managed hosts.

For more information, see Resource activity page.

OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Related Topics

Adding a local managed host (Windows computer)

Adding a Windows cluster / Windows computer as a remote managed host

Adding a generic managed host

Adding a Distributed File System (DFS) root managed host

Adding a SharePoint farm managed host

Adding a NetApp CIFS device as a managed host

Adding an EMC CIFS device as a managed host

Adding an NFS managed host

Adding a cloud managed host

Editing managed host settings

NIS Host page

Select a Network Information Service (NIS) server whose users and groups have been synchronized with One Identity Manager.

NOTE: This page only applies to NFS managed hosts.
Table 18: NIS Host page: Controls and settings
Control/setting Description
NIS Host

Select the NIS server to be managed.

The NIS servers previously synchronized with One Identity Manager (UNIX synchronization project) are listed in the drop-down menu.

Credentials page

Provide the credentials of a user which can establish a connection to the NAS storage device.

  • For NetApp devices, this user account must have the 'ontapi' User Login Method application.
  • For EMC Isilon devices, this user account must be assigned the 'Platform API' privilege.

Note: This page only applies to NFS managed hosts and NetApp OnTap Cluster Mode CIFS managed hosts.

Table 19: Credentials page: Controls and settings
Control/setting Description
User Name

Enter the name of a user account with access to the target NAS storage device.

Password Enter the password associated with the specified user account.
Port

Enter the destination port to be used for communication between the agent and target NAS storage device.

  • NetApp filers: The default value is 443.
  • EMC devices: The default value is 8080.
Host EndPoint

Optionally, enter the API endpoint for the NetApp Cluster Mode connection. This could be an FQDN, host name or IP address.

NOTE: The default is to use the FQDN of the targeted host. You would only use this setting if the API connection needs to be specified as something other than the FQDN of the targeted host.

NOTE: Only applies to NetApp Cluster Mode devices.
Test API Credentials Click this button to verify that the credentials entered are valid.
Verwandte Dokumente