Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Write default classification level data to database (ClassificationLevelDefaultData)

This key indicates whether the default classification levels defined in Data Governance Edition are written to the One Identity Manager database.

NOTE: This registry value is checked on Data Governance service startup and if not present or if its value is set to 0, Data Governance Edition writes the default classification values into the One Identity Manager database and sets the registry value. When this value is set to 1, this indicates that the default classification level data is already stored in One Identity Manager database and should not be overwritten on service startup.
Table 82: Registry setting: ClassificationLevelDefaultData
Location Registry
Path

HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server

Value name ClassificationLevelDefaultData
Value type REG_DWORD
Value

Valid values:

  • 0: Write the default classification level data into the One Identity Manager database.
  • 1: Default classification level data is already stored in the One Identity Manager database: do not overwrite on Data Governance service startup.
Notes

If you delete the default classification levels in your Data Governance Edition deployment and replace them with new classification levels, you must move or set this registry key if you move the Data Governance service to another machine. When you move the Data Governance service to another machine, before starting the Data Governance service ensure that this registry key is set (value is set to 1); otherwise, the Data Governance service will reload any previously deleted default database data that was inserted when the Data Governance service was initially started (on the first machine).

If you modify the default classification levels in your Data Governance Edition deployment, the classification level data is retained if you move the Data Governance service to another machine.

Default employee SID (DefaultEmployeeSid)

This registry key specifies the security identifier (SID) of the default employee used by the Data Governance topology harvest process. This setting is used by the ManagementServer internal service that manages the core Data Governance service dependencies.

Table 83: Registry setting: DefaultEmployeeSid
Location Registry
Path HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server
Value name DefaultEmployeeSid
Value type REG_SZ
Value SID of the user used by the Data Governance topology harvest process.
Note This key is present if you used the Data Governance Configuration wizard to install the Data Governance service.

Explicit exclusion of groups (ExclusionByDN)

On the Data Governance server, configure the following registry key to exclude groups from self-service group selection.

NOTE: You may want to mark certain groups as being ineligible for self-service requests, especially when Data Governance Edition is configured to allow for non-published groups to be presented. In this case, it is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.
Table 84: Registry setting: ExclusionByDN
Location Registry
Path

HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server\DeploymentData\SelfService

NOTE: If the "DeploymentData" and "SelfService" subkeys do not exist, create them.
Value name ExclusionByDN
Value type REG_SZ
Value

Create string values whose names match the distinguished name of the groups that are to be excluded.

NOTE: To exclude an entire container of groups, specify the distinguished name of the container, with an asterisk ("*") prefix. For example, to exclude all groups in the Users container of example.com. use the following syntax: "*CN=Users,DC=example,DC=com".

Filter accounts from Resource access report (FilterNoisyAccounts)

Create the following registry key on the client computer where the Manager is installed to indicate whether noisy accounts (that is, accounts with indirect access granted through the BUILTIN\Administrators or BUILTIN\Users accounts), are to be filtered from the Manage Access view.

Table 85: Registry setting: FilterNoisyAccounts
Location Registry
Path HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Client
Value name FilterNoisyAccounts
Value type DWORD
Value

Valid values:

  • 0: do not filter out noisy accounts
  • 1: filter out noisy accounts (default)
Verwandte Dokumente