Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Assign employee to cloud account

In order to assign ownership to a cloud resource, ensure that an Active Directory employee is assigned to the SHAREPOINTONLINE or ONEDRIVEBUSINESS account.

To assign a One Identity Manager Employee to a cloud account:

  1. In the Manager, select Employees | Employees.
  2. Locate and select the employee, right-click and select Tasks | Assign user accounts.

  3. In the lower pane, locate and double-click the account to be assigned to the selected employee.

One Identity Manager - Database configuration

The following table lists the One Identity Manager Database configuration parameters that must be set in the Designer to use various features.

Note: In the table, parameters marked as (Optional) may not need to be modified in order to enable email notifications. All other parameters listed must be modified with the proper information.

Table 13: One Identity Manager database configuration
If you want to: Edit these parameters:
Receive email notifications from Data Governance Edition

Common | MailNotification

Common | MailNotification | DefaultAddress

Common | MailNotification | DefaultCulture

Common | MailNotification | DefaultLanguage

Common | MailNotification | DefaultSender

Common | MailNotification | SMTPAccount (Optional)

Common | MailNotification | SMTPDomain (Optional)

Common | MailNotification | SMTPPassword (Optional)

Common | MailNotification | SMTPRelay

Use report subscriptions and schedule reports using the web portal

Common | MailNotification

Common | MailNotification | DefaultAddress

Common | MailNotification | DefaultCulture

Common | MailNotification | DefaultLanguage

Common | MailNotification | DefaultSender

Common | MailNotification | SMTPAccount (Optional)

Common | MailNotification | SMTPDomain (Optional)

Common | MailNotification | SMTPPassword (Optional)

Common | MailNotification | SMTPRelay

QER | RPS | DefaultSenderAddress

Receive email notifications regarding attestation cases

QER | Attestation | DefaultSenderAddress

QER | Attestation | MailApproval (Optional)

QER | Attestation | MailApproval | Account (Optional)

QER | Attestation | MailApproval | DeleteMode (Optional)

QER | Attestation | MailApproval | Domain (Optional)

QER | Attestation | MailApproval | ExchangeURI (Optional)

QER | Attestation | MailApproval | Inbox (Optional)

QER | Attestation | MailApproval | Password (Optional)

Receive email notifications regarding IT Shop requests

QER | ITShop | DefaultSenderAddress

QER | ITShop | MailApproval (Optional)

QER | ITShop | MailApproval | Account (Optional)

QER | ITShop | MailApproval | DeleteMode (Optional)

QER | ITShop | MailApproval | Domain (Optional)

QER | ITShop | MailApproval | ExchangeURI (Optional)

QER | ITShop | MailApproval | Inbox (Optional)

QER | ITShop | MailApproval | Password (Optional)

To edit configuration parameters

  1. Open the Designer.
  2. In the lower pane of the navigation view, select Base Data.
  3. In the far right column, select Edit configuration parameters.
  4. Click the expansion box to the left of a parameter (or double-click a parameter) to expand and display individual configuration parameters.
  5. Navigate to the required configuration parameter and click the check box to the left of the entry to enable the parameter.

    Note: Some configuration parameters will already be enabled (check box is selected) and others need to be enabled.

  6. Select the required parameter to display the parameter's properties in the bottom pane. Enter the required value in the Properties tab at the bottom of the pane. Click the Edit button to save your settings, which will then appear in the top pane.

    Note: The parameter must be enabled (check box is selected) and the proper value must be specified.

  7. Once you have finished editing the required configuration parameters, click the Commit to database toolbar button.

Configuring Change Auditor to collect resource activity

When Quest Change Auditor is installed, you can configure Data Governance Edition to collect resource activity directly from the Change Auditor database. When enabled, Change Auditor collects the selected activity events every 15 minutes on all managed hosts. The events received from Change Auditor are harvested by the Data Governance server, aggregated and placed directly into the Data Governance Resource Activity database.

The following considerations should be taken into account to determine whether Change Auditor should be used to collect resource activity:

  • At least one Data Governance agent must reside on the same machine as the Change Auditor agent in order to retrieve activity from the Change Auditor database.
  • Data Governance Edition uses the Change Auditor SDK to read the existing event data. Administrators for Data Governance Edition and Change Auditor should collaborate to determine what data Change Auditor is collecting.
  • The Change Auditor SDK authentication uses the same credentials as the Data Governance Edition managed domain service account. In this initial release of the feature, this is the user name and password used to connect to the Change Auditor SDK public port. There is no way of entering different Change Auditor SDK credentials at this time.

    Note: This Change Auditor SDK account must have the "View Sdk" permission set.

    You can define an application group using the Application User Interface page in Change Auditor to assign users to roles with the proper permissions. For more information, see the Quest Change Auditor User Guide.

  • The Change Auditor event collection feature only collects activity for file system, SharePoint farm and NAS events.

    Note: Change Auditor does not always contain enough information to map to Data Governance Edition resources. Therefore, the following SharePoint farm events are not included in Data Governance Edition activity reports:

    • All permission levels revoked
    • Site collection ownership granted
    • Permission level created
    • Permission level permissions modified
    • Member added to security group
    • Security group created
    • Security group deleted
    • Auditing solution deployment changed.
  • If Change Auditor is configured to collect activity from your EMC storage device using the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition.
  • When using Change Auditor to collect resource activity, NetApp managed hosts will not place an FPolicy for Data Governance Edition on the NetApp filer.
  • When using Change Auditor to collect resource activity, the default settings for resource activity collection and aggregation for all managed hosts will be a bit different:
    • Collect and aggregate events is selected by default.

      Note: Read events are disabled by default; however, each managed host can specify the types of events to be collected.

    • Aggregation setting is not available; Change Auditor uses the collection interval defined in the CAAggregationIntervalMinutes configuration parameter. Default is every 15 minutes and applies to all managed hosts.
    • Resource Activity Exclusions is not available.
  • When using Change Auditor to collect resource activity, it is not recommended to enable the Collect activity for real-time security updates on EMC or NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.

To use Change Auditor to collect resource activity

  1. Open the Designer.
  2. In the lower pane of the navigation view, select Base Data.
  3. In the far right column, select Edit configuration parameters.
  4. Navigate to and expand TargetSystem | ADS | QAM.

  5. Click the check box to the left of UseChangeAuditor.

    When enabled, Change Auditor collects events every 15 minutes on all managed hosts. To change this collection interval, modify the CAAggregationIntervalMinutes parameter.

    TIP: If you have large amounts of real-time Change Auditor events, you may want to reduce the aggregation interval to every five minutes. Check the Data Governance service log for the Change Auditor query results to determine the number of events returned to Data Governance Edition. In this scenario, do NOT increase the aggregation interval (for example, to 24 hours), as this will cause Data Governance Edition to try and accept millions of events from Change Auditor, which could cause the Data Governance service to fail or timeout.

  6. Click the Commit to database toolbar button.
  7. Restart the Data Governance service.

One Identity Manager Application Server

If you install the One Identity Manager Application Server under IIS, you must add an account that is able to access the Data Governance server (that is, an Active Directory user account that is mapped to a One Identity Manager employee with the Data Governance | Administrators and Data Governance | Access Managers application roles applied) as the application pool identity.

To modify the application pool identity

  1. Open Internet Information Services (IIS) Manager.
  2. In the left pane, navigate to and select Application Pools.
  3. In the middle pane, select the application pool for the application server (AppServer_POOL is the default name).
  4. In the right pane, click Advanced Settings.
  5. In the Advanced Settings dialog, edit the Identity value (under the Process Model section). This value must contain an account that is able to access the Data Governance server (i.e., an Active Directory user account mapped to an employee with both the Data Governance | Administrators and Data Governance | Access Managers application roles).

If the Application Server application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.

Verwandte Dokumente