Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Activity weight multipliers

The activity weight multipliers in the Data Governance server configuration file affect the perceived owner calculations, which is based on the resource activity data collected by Data Governance agents. A weight is assigned to each different type of activity. The default calculation assumes that it is more likely that the data owner would create, edit, delete, and change security rather than just read the data, so a heavier weight has been assigned to these change operations. By default, the heaviest weight is given to change security and lightest weight to read.

Table 54: Activity weight multipliers
Configuration setting Description
<add key="Activity.ReadWeightMultiplier" value="100"/> Weight assigned to read operations. By default, this is the lowest value.
<add key="Activity.WriteWeightMultiplier" value="150"/> Weight assigned to write operations.
<add key="Activity.CreateWeightMultiplier" value="150"/> Weight assigned to create operations.
<add key="Activity.DeleteWeightMultiplier" value="150"/> Weight assigned to delete operations.
<add key="Activity.RenameWeightMultiplier" value="125"/> Weight assigned to rename operations.

<add key="Activity.SecurityChangeWeightMultiplier" value="200"/>

Weight assigned to security changes. By default, this is the highest value.

To configure the perceived owner calculation

  1. Browse to and open the DataGovernanceEdition.Service.exe.config file.
  2. In the configuration file, locate the Application settings (<appSettings>) section
  3. Locate and alter the value assigned to the required key.
  4. Save your changes.
  5. Restart the Data Governance service after making changes to these settings and saving the file.

Self-service suitability calculation multipliers

The "best fit" group is determined through a series of calculators that work on various criteria. Each calculator returns a value in the range of -2 to +2:

  • Very Bad (-2)
  • Bad (-1)
  • Neutral (0)
  • Good (+1)
  • Very Good (+2)

These calculators cannot be changed, but you can modify the positive and negative multipliers by changing the default values defined in the DataGovernanceEdition.Service.exe.config file. The following set of multipliers are used by the self-service calculation system to modify the relative weights of the various suitability calculators.

NOTE: Keep in mind that the multiplier values are only relative to one another. If you doubled all the multipliers, there would be no change in the resulting set of groups returned to the user. If you want your desired criteria to be considered more importance, set the multipliers on those calculators to be higher relative to the rest.
NTFS group membership calculation multipliers
Configuration settings:

<add key="SelfService.AccessInheritanceSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.AccessInheritanceSuitabilityProcessor.NegativeMultiplier" value="100"/>

Checks access inheritance: Groups whose rights to the targeted resource are explicit are favorable. Groups that have been delegated access to the targeted resource through inherited permissions are considered less favorable.

  • If the permissions have been inherited from some resource higher in the hierarchy, then the requester may be given access to more resources than they've actually requested. (Bad)
  • If nothing is gained through inherited access, don't change the suitability. (Neutral)
  • If the explicitly held rights are a better match than neutral and there are no inherited rights, then that's good (Good)

<add key="SelfService.AccessSuitabilityProcessor.PositiveMultiplier" value="200"/>

<add key="SelfService.AccessSuitabilityProcessor.NegativeMultiplier" value="500"/>

Checks access rights:

  • It is optimal if the access held by the group is exactly what the request requires. (Very good)
  • If the group has slightly more access than is required, it may be suggested but considered less favorable. (Good).
  • It is detrimental if the group has "dangerous" rights, such as Full Control, Take Ownership, or Change Permissions. (Very bad)
  • If the group doesn't have sufficient access to meet the request, it is marked as ineligible for selection. (ineligible).

<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>

Checks Domain Local group membership:

  • If a group contains any Global or Universal groups, then it's likely being used as a resource group. This means that the group should be less desirable for usage as an access provisioning group. (Bad)
  • If a group does not contain any Global or Universal groups, then it is most likely used for direct access provisioning and not as a container group. (Very good)

<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>

Checks group membership rules:

  • Global groups that exist in the same domain as the employee are favorable.
  • If the group is Universal, the employee must exist in the same forest as the group.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.GroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.GroupTypeSuitabilityProcessor.NegativeMultiplier" value="200"/>

Checks group type: Based on Microsoft best practices, groups are favored in the following order:

  • If the group is a Global group, it is marked as very good.
  • If the group is a Universal group, it is marked as good.
  • If the group is a Domain Local group, it is marked as bad.
  • Domain built-in groups and non-security groups are never considered suitable selections and are marked as ineligible.

<add key="SelfService.OriginInformationSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.OriginInformationSuitabilityProcessor.NegativeMultiplier" value="100"/>

Check origin domain:

  • Groups in the same domain as the requesting employee are considered favorable. (Very good)
  • Groups from the resource's forest are considered less favorable. (Good)
  • Groups from forests outside of the forest of the requesting employee are considered even less favorable. (Bad)

<add key="SelfService.ResourceDistanceSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.ResourceDistanceSuitabilityProcessor.NegativeMultiplier" value="100"/>

Checks distance from resource: The closer the group is to the resource, the better. The further away the groups gets from the ACL, the wore the score.

  • Groups directly in the resources access control list are considered favorable.
  • A group that is nested one or more steps away from the access control list is considered less favorable.

NOTE: This calculator never marks a group as very bad.
SharePoint group access calculation multipliers
Configuration settings:

<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="300"/>

<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>

Choose a group assigned a permission level that best fits the requested access. Not enough rights makes the group Ineligible. Granting any modification permissions when only Contribute permissions are requested makes the group ineligible.

<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>

Groups that contain permission levels that grant a user not only the requested rights, but also give the ability to delegate permissions to others will be marked as ineligible.

<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.NegativeMultiplier" value="100"/>

Avoid groups that grant farm administrative rights. Farm Admin groups are marked as ineligible, otherwise the group is marked as neutral.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.JoinOptionsSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.JoinOptionsSuitabilityProcessor.NegativeMultiplier" value="100"/>

Checks a group's access properties:

  • If the group is not a SharePoint group, it is marked as neutral.
  • If the auto-accept members flag is set, the group is assumed to be extremely safe and it is marked as very good.
  • If a workflow exists for granting access, or current members of the group are able to add others, the group is marked as good.
  • If the property that specifies only group members may view the membership is set, the group is assumed to be fairly locked down; therefore, the group is marked as bad.

<add key="SelfService.PermissionsAgreeSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.PermissionsAgreeSuitabilityProcessor.NegativeMultiplier" value="100"/>

Many Windows groups that may be viable through Windows Domain Trusts do not always work in granting SharePoint access because of limitations in SharePoint security checking. This calculator checks to see if SharePoint itself considers the group valid for the requested access. If the effective permissions meet the requirements of the requested permissions, that is very good. Otherwise, it is marked as neutral.

Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results.

<add key="SelfService.NestingSuitabilityProcessor.PositiveMultiplier" value="200"/>

<add key="SelfService.NestingSuitabilityProcessor.NegativeMultiplier" value="100"/>

If the target group is an Active Directory group that is also a member of a SharePoint group, it is marked as very good. Otherwise, it is marked as neutral.

Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results.

<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.PositiveMultiplier" value="50"/>

<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>

Checks the type of group:

  • If the group is a SharePoint group, it is marked as neutral.
  • If the group is a security-enabled Active Directory group, it is marked as ineligible.
  • If the group is a global Active Directory group, it is marked as very good.
  • If the group is a universal Active Directory group, it is marked as good.
  • If the group is a built-in domain group, it is marked as ineligible.
  • If the group is a local domain group, it is marked as bad.

Note: The default values when none of these are satisfied mark the group as ineligible.

<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>

Some organizations prefer to use groups that are SharePoint groups because they enhance SharePoint features and delegation within SharePoint itself, as well as allowing self service. This is a trade-off between SharePoint features vs. Active Directory group power in the enterprise. The use of Active Directory groups vs. SharePoint groups as a best practice is a debated topic.

If a group is a SharePoint group, mark it as very good, otherwise mark it as neutral. To avoid SharePoint groups, flip the positive “weight” to a negative number.

<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.NegativeMultiplier" value="100"/>

Avoid groups that grant Site Collection Administrative rights. These groups are marked as ineligible. Otherwise, the group is marked as neutral.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.NegativeMultiplier" value="100"/>

Avoid groups that would cause the user to gain the Act As System right. These groups are marked as ineligible. Otherwise, the group is marked as neutral.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.NegativeMultiplier" value="100"/>

Avoid groups that Web Application policies grant Site Collection Administrative rights to. These groups are marked as ineligible. Otherwise, the group is marked as neutral.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.NegativeMultiplier" value="100"/>

Some Farms may have policies denying most users from ever getting permissions that are too high.

  • Any rights denied outside the requested permissions are considered neutral.
  • A policy can make the group ineligible if it denies rights being requested.

NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results.

<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.PositiveMultiplier" value="100"/>

<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.NegativeMultiplier" value="100"/>

Avoid groups that get rights granted via a Web Application policy (in any zone). The more rights granted, the worse it is. These policies are usually used to grant service accounts, like the Search Service accounts rights, and are not generally good ways to obtain access to resources.

  • If the group has MORE than the following permissions, then it is marked as ineligible:
    • LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
    • SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation, ApplyThemesAndBorders, ApplyStyleSheets
    • PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
  • If the group has MORE than the following permissions, then it is marked as very bad:
    • LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
    • SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
    • PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
  • If the group has the EXACTLY the following permissions, then it is marked as bad:
    • LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
    • SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
    • PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts

Data Governance agent configuration file settings

The following Data Governance agent configuration file settings can be configured in the DataGovernance.Agent.exe.config file in the Agent Services directory in the agent's installation directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services.

Table 55: Communication settings
Configuration setting Description
baseActivePort Sets the default listening port.

cloudScanThreadMax

Sets the maximum number of concurrent scan threads to be used when scanning a cloud managed host.

overrideServerUri Indicates that the agent is to connect to a specific Uri and not use the results from an Active Directory service connection point search.

shimCloseTimeoutInMinutes

Dictates the interval of time provided for a connection to the Shim to close before the transport raises an exception.

NOTE: SharePointShim is used when monitoring a SharePoint 2010 host.

shimOpenTimeoutInMinutes

Dictates the interval of time provided for a connection to open to the Shim before the transport raises an exception.

NOTE: SharePointShim is used when monitoring a SharePoint 2010 host.

shimReceiveTimeoutInMinutes

Dictates the interval of time that a connection can remain inactive, during which time no application messages are received from the Shim before it is dropped.

NOTE: SharePointShim is used when monitoring a SharePoint 2010 host.

shimSendTimeoutInMinutes

When writing to the Shim, this setting dictates the interval of time provided for a write operation to complete before the transport raises an exception.

NOTE: SharePointShim is used when monitoring a SharePoint 2010 host.
Table 56: Windows computer settings
Configuration setting Description
indexingEnabled (localGroup scanning) Determines whether local group scanning is enabled.
indexingEnabled (local user rights scanning) Determines whether local user rights scanning is enabled.
indexingEnabled (share scanning) Determines whether share scanning is enabled.
localGroupResolutionInSeconds Sets the number of seconds between scans of local groups.
windowsComputerResourceResolutionInSeconds Sets the number of seconds between full scans of the various resources within the Windows Computer resource namespace.
Table 57: Service identity indexer settings
Configuration setting Description
indexingEnabled (service identities scanning) Determines whether service identities scanning is enabled.
serviceIdentityIndexingResolutionInSeconds Sets the number of seconds between scans of service identities.
Table 58: Security data store service setting
Configuration setting Description
keepQueryDocuments

Diagnostic setting used to debug or diagnose issues with agent queries.

NOTE:  This setting should only be enabled for diagnostic purposes as it will save *raq files to the agent instance folder and not delete them. These can eventually take up a large amount of disk space.
Table 59: Resource usage settings
Configuration setting Description
numberOfSharepointScanThreads Defines the number of threads to be used when the agent is scanning the SharePoint object hierarchy in the farm.
usageFlushIntervalInSeconds Sets the frequency (in seconds) at which auditing information being held in memory is flushed to disk.
Table 60: NetApp configuration setting
Configuration setting Description
OverrideFPolicyName Overrides the name of the policy the FPolicy change watcher connects to.

baseActivePort

Use this setting to change the default listening port.

Table 61: Agent configuration setting: baseActivePort
Configuration file %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DataGovernance.Agent.exe.config
Section name

<Section name="Agent">

  <Section name="Services">

    <Section name="communication">

Setting <Setting name ="baseActivePort" type="dword">
Value

Default: 18530

How to modify
  1. Stop the agent service.
  2. Change the baseActivePort, replacing the value as required.
  3. Start the agent service.
Notes The agent starts with this port and if it can not get this port, increases it by one until it can open the listening port.
Verwandte Dokumente