Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Resource activity page

You can collect resource activity on local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts. Resource activity collection is not supported for Windows Cluster/Remote Windows Computer, Generic, or Cloud managed hosts.

Note: Limitations with collecting resource activity on EMC storage devices:

  • EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.
  • EMC VNX activity collection by Data Governance agents is not supported for storage devices with multiple CIFS exposed virtual data movers.
  • Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts.
  • If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity from your EMC device with both Change Auditor and Data Governance Edition.

When enabled, you can configure to collect data on identities, reads, writes, creates, deletes, renames, and security changes on securable objects. Resource activity summary information is used to calculate ownership and for generating activity-related reports, including the Resource activity, Account activity, Interesting resources without an owner, Data owner vs. perceived owner, and Perceived owners for data under governance reports.

Important: By default, the collection of resource activity is disabled. You can enable it when you configure your managed hosts. However, collecting resource activity on your managed hosts impacts network usage and increases load on the Resource Activity database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation is important to limit some of this load. You should carefully plan out which servers you want to collect activity on and enable it only on those machines.

If you are collecting resource activity, it is recommended that you set up a scheduled execution of the activity database compression utility. This utility compresses the activity in your database that is older than a certain age and optionally purges entries that are even older. This is essential in ensuring your database remains manageable. For more information on the activity database compression utility, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Note: Data Governance Edition may report certain operations in unexpected ways. For example, in some instances a file rename operation may be represented as a delete and a create. This is normal behavior and depends on the system, or in some cases, the applications being used to interact with the resources.

Note: The time stamps for resource activity are based on the agent local time.

The Resource Activity page on the Managed Host Settings dialog contains the following information and options to configure the collection and aggregation of resource activity.

Table 24: Managed host settings: Resource Activity page
Field Description
No activity (scheduled security scans only)

Use this option if you do not want to collect resource activity for the target managed host.

NOTE: For all types of managed hosts, this option is selected by default indicating that resource activity in not being collected for the target managed host.
Collect and aggregate events

Select this option to collect resource activity for the target managed host. When this option is selected, you can configure the events to be collected and the aggregation interval to be used to compress the activity data.

NOTE: For SharePoint farm managed hosts, native SharePoint auditing must be enabled in order to collect resource activity.

NOTE: For NetApp managed hosts, the FPolicy settings control the activity sent to the agent, unless resource activity is being collected directly from Change Auditor. For more information, see FPolicy deployment.

NOTE: For EMC Celerra/VNX devices, you must configure the cepp.conf. For more information, see Creating the cepp.conf file (Celerra or VNX devices).

NOTE: For EMC Isilon CIFS devices, you must enable auditing. For more information, see Enabling system configuration auditing (Isilon devices).

NOTE: When using Change Auditor to collect resource activity, this option is selected by default. For more information, see Configuring Change Auditor to collect resource activity.
Events

Select or clear the check boxes to specify the type of events to be included in the resource activity collection process:

  • Security change
  • Create
  • Delete
  • Rename
  • Write
  • Read (Disabled by default)

NOTE: When resource activity collection is enabled, read operations are not collected by default. Care should be taken when enabling read operations because they may cause performance issues.
Aggregation

Select how often you would like to aggregate the data. Valid aggregation intervals are:

  • 5 minutes
  • 1 hours
  • 8 hours (default)
  • 1 day

All activity is aggregated within the set time frame, which is 8 hours by default. For example, if a user reads a file ten times within the time frame, it appears as a single line item with a count of 10.

NOTE: The aggregation interval should be chosen carefully. A shorter interval gives more granular information about activities but can cause the size of the database to use up all the disk space on the server.

NOTE: When using Change Auditor to collect resource activity, the aggregation setting is not available. Change Auditor is configured to collect events every 15 minutes on all managed hosts. For more information, see Configuring Change Auditor to collect resource activity.

Resource Activity Exclusions

Click this button to specify the accounts, file extensions, and folders to be excluded from the resource activity collection process. By focusing on the objects in whose activity you are interested, you can reduce network traffic.

Certain well known system accounts, file extensions, and folders are excluded by default, such as:

  • Accounts: Local Service, Network Service, Null SID, System

    NOTE: The Accounts tab is not available for NFS managed hosts.
  • File Extensions: Database files, Disc Image files, Email files, Executable files, Explorer Metadata files, Log files, Shortcut files, Temporary files, and Virtual machine files
  • Folders: %SystemRoot%, %ProgramFiles%, %ProgramFiles(x86)%

By default, the Data Governance agent excludes the run as account (local managed hosts) and the domain service account (remote managed hosts) from activity collection and aggregation regardless if the service account is specified in the Resource Activity Exclusions list. The service account for SharePoint farm managed hosts are not excluded by default; you will need to add the SharePoint service account manually for SharePoint farm managed hosts.

To see the full list, click the Resource Activity Exclusions button.

  • If the list is empty on the Resource activity exclusions dialog, click Default to populate the exclusions list with default values.
  • To add an object to the exclusion list, click Add and specify the account, file extension or folder.

NOTE: When using Change Auditor to collect resource activity, the Resource Activity Exclusions feature is not available.For more information, see Configuring Change Auditor to collect resource activity.

View/Update cepp.conf

For EMC Celerra/VNX hosts, this button allows you to view or update the cepp.conf file for the selected data mover.

Clicking this button displays a Logon Credentials dialog allowing you to enter the EMC Celerra/VNX control station credentials and to select the data mover to be scanned.

  • Control Station: Enter the IP address or host name of the EMC Celerra/VNX control station.
  • User: Enter the user name of an account with administrative rights on the specified control station.
  • Password: Enter the password associated with the user account entered.

    The client attempts to connect and loads the list of available data movers on the specified device.

  • Data Mover: Select the data mover that holds the managed paths you wish to monitor and will also be associated with resource activity collection.

The client then retrieves and displays the cepp.conf file from the selected data mover. You can edit the Proposed cepp.conf file (lower pane) as needed. To save your edits, select Update File. The client then sends the Proposed cepp.conf file to the EMC device. It will stop and start the cepp service for the selected data mover to apply the new cepp.conf file.

Click the Check Status button to retrieve the same information you wold get if you ran "server_cepp server_2-pool-info" on the EMC device.

Editing managed host properties

You can edit the managed host settings for one or more managed hosts of the same host type. For more information on the configuration options available, see Managed host configuration settings. You can also use the Edit host settings task to add, remove or change the agents used to scan a remote managed host. For more information, see Removing agents.

To edit a managed host’s configuration settings

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select the required managed host with a status of Managed.

  3. Select Edit host settings in the Tasks view or right-click menu.

    The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.

    • Use the Managed Paths page to change the paths to be scanned and monitored.
    • Use the Security Scanning page to change the scanning schedule and scan settings.
    • Use the Resource Activity page to change the resource activity collection and aggregation settings.
  4. After making the required changes, click OK to save your selections and close the dialog.

The agent will scan using the new settings at the next scheduled scan time. However, if you modified the managed paths being scanned and the Immediately scan on agent restart or when managed paths change option is selected on the Security Scanning page, the agent initiates a scan immediately.

To edit multiple managed hosts

Note: When multiple managed hosts are selected, keep in mind that the settings are overwritten for all selected managed hosts and only the settings that are appropriate for the selected managed host type are applied. Because of this, you may notice that not all the same pages are displayed when multiple managed hosts are selected for editing (for example, the Managed Paths page is not displayed).

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select multiple managed hosts with the same host type in the Managed hosts view
  3. Select Edit host properties in the Tasks view or right-click menu.

    The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.

    • Use the Security Scanning page to change the scanning schedule and scan settings.
    • Use the Resource Activity page to change the resource activity collection and aggregation settings.

    The options displayed are the factory default values regardless of the current values of the selected managed hosts.

  4. Select the Apply these settings to all selected managed hosts check box and make the required changes, which will be applied to all selected managed hosts.
  5. Click OK to save your selections and close the dialog.

The agent will scan using the new settings at the next scheduled scan time.

Customizing default host settings

Defining default host settings for each type of managed host is now available through the Manager. Using the Customize default host settings task in the Manager, you can define the default scanning schedule and settings and the default resource activity collection and aggregation settings for the selected managed host type. Once customized default settings are defined, they are used when adding new managed hosts to the Data Governance Edition deployment.

Note: Currently managed hosts are not affected by the default host setting changes made on this dialog; only those added in the future use the settings defined here.

To customize default host settings

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select the Customize default host settings from the Tasks view or right-click menu.

    The Customize default host settings dialog appears.

  3. At the top of the dialog, specify the following information: 
    1. Host Type: Select the host type from the drop-down menu:

      • Local Windows Computer
      • Windows Cluster/Remote Windows Computer
      • Generic Host Type
      • SharePoint Farm
      • EMC Celerra/VNX Device
      • EMC Isilon Device
      • NetApp OnTap 7-Mode CIFS Device
      • NetApp OnTap Cluster Mode CIFS Device
      • NetApp Cluster NFS Device
      • EMC Isilon NFS Device
      • NetApp 7-Mode NFS Device
      • SharePoint Online
      • OneDrive for Business
    2. Agent Install Path: Use this field if you want to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

    3. Keywords: Use this field if you want to specify a keyword to be assigned to newly managed hosts, which can be used for sorting and grouping on the Managed hosts view.
  4. Use the Security Scanning page to define the default scanning schedule and settings. For more information, see Security Scanning page.
  5. Use the Resource Activity page to define the resource activity collection and aggregation settings. For more information, see Resource activity page.

    Note: Resource activity collection is not available for the following host types:

    • Windows Cluster/Remote Windows Computer
    • Generic Host Type
    • EMC Isilon NFS Device
    • SharePoint Online
    • OneDrive for Business
  6. Repeat steps 3 - 5 for any additional host types that require custom default settings.
  7. If necessary, click the Restore Factory Defaults button to reset all changed settings back to the factory defaults.

    Note: Clicking the Restore Factory Defaults button resets all custom default settings back to the factory default settings for all managed host types.

  8. Click OK to save your selections and close the dialog.

All managed hosts of the selected host type that are added in the future will use these customized default settings.

Deployment management

You should regularly check the status of your managed hosts to ensure that the system is working properly. You can see the state of your deployment through the Managed hosts view and Agents view.

Verwandte Dokumente