Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Manually deploying Data Governance service

You need the following to manually deploy the Data Governance service:

  • Data Governance Server installation msi
  • Local Administrator rights on the server where the Data Governance service is to be installed.
  • Installation of the One Identity Manager client applications (including the Data Governance Edition PowerShell snap-in)
  • Ability to change One Identity Manager configuration options in the Designer application
  • Connection information to the One Identity Manager database
  • Database creation permissions (if creating the Data Governance Resource Activity database)

To manually deploy the Data Governance service

  1. Log on to the system with the One Identity Manager client installation.
  2. Open the Designer and log on as a system user with administrative privileges (for example, viadmin)
  3. Edit the Data Governance service configuration parameters: 
    1. In the navigation view, select Base Data | General | Configuration parameters.
    2. In the far right column, click Edit configuration parameters.
    3. Expand TargetSystem | ADS | QAM | QAMServer.
    4. Change the ServerName value to the fully qualified DNS name of the server where the Data Governance service is to be installed.
    5. Set the Port value to the net.tcp port your server will listen on. The HTTP port will automatically be configured to use the net.tcp port value -1.
    6. Set the Deployment value to the name of your Data Governance Edition deployment.

      Note: This defaults to "DEFAULT". If you are going to or already have multiple Data Governance Edition deployments in your Active Directory forest, you must ensure this name is unique. The Deployment value is restricted to a maximum of 30 characters and can contain alphanumeric characters and underscores (no spaces).

  4. Use the LocalSystem account to log on to the Data Governance server specified above and run the Data Governance Server installation msi.

    Note: When you run the MSIEXEC from a command prompt, you must be running as local system. This ensures that the service connection point can be updated no matter what your Data Governance service runs as.

    Example: ->msiexec /i "DataGovernance_ServerComponentsInstaller_x64.msi" /lv C:\DgeMsintallLog QAMDEPLOYMENT="testNew" QAMPORT=8722

    Note: Refer to the Microsoft documentation for command line syntax of MSIEXEC.EXE. For more information on using the Windows Installer (MSIEXEC.exe) refer to Microsoft's MSDN library: https://msdn.microsoft.com/en-us/library/aa367988(VS.85).aspx

    See Data Governance service options for a description of the Data Governance deployment options available.

  5. Open a Windows PowerShell console on the machine with the One Identity Manager client installation.
  6. Run the following cmdlet to import the Data Governance Edition PowerShell module:

    Import Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine would be "C\:Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll"

  7. Run the following PowerShell cmdlet to set the server name, deployment name and port information used by the Data Governance Edition commands to connect to the Data Governance server:

    Set-QServiceConnection -ServerName "<DGE server machine name>" -Port <Value> - Deployment "<Deployment name>"

    Note: The <DGE server machine name>, Port <Value> and <Deployment name> must be the same values as specified in step 3.

  8. Close the PowerShell console and restart the Data Governance service.

  9. Run the following PowerShell cmdlet to establish the database connection between One Identity Manager and Data Governance Edition:

    Initialize-QDataGovernanceServer -DatabaseConnectionString "<Connection string for Identity Manager database>" [-DefaultEmployeeSid "<SID of user account>"

    Note: Only specify the "-DefaultEmployeeSid" parameter if you want to take advantage of the automatic forest topology harvest. Adding this parameter adds the user associated with the specified SID to the One Identity Manager Employees with the appropriate Data Governance application roles. This provides the same functionality as selecting the Add the current user to the One Identity Manager Employees with Data Governance application roles option when using the Data Governance Configuration wizard.

    Note: If Windows Integrated Authentication is used to connect to the database, the Data Governance server must be configured to run as an identity other than LocalSystem (See step 4).

    Connection string examples:

    An example of a connection string for Windows authentication may look like this:

    "Server=myServerAddress;Database=myDatabase'UserId=myUser;Password=myPassword;Trusted_Connection=True"

    An example of a connection string for SQL authentication may look like this:

    "Data Source=myServerAddress;Intitial Catalog=myDatabase;User Id=myUser;Password=myPassword"

    For more information on connection strings, see The Connection String Reference.

  10. Using your preferred database management tool, browse on the Data Governance server to the %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server\Activity Database Scripts folder and locate a file named "DGAuditDatabaseCreationScript.sql".
  11. For SQL Server hosted databases, open the DCAuditDatabaseCreationScript.sql file and update the database name specified in the CREATE DATABASE and USE statements.

    Note: If you are running multiple Data Governance Edition deployments, it is highly recommended that you append the deployment name to the database name (for example, DGE_DEFAULT). This database name has a maximum length of 30 characters and can contain alphanumeric characters and underscores (no spaces).

  12. Run the appropriate script for your database management system to create the Data Governance Resource Activity database.
  13. Run the following PowerShell cmdlet to initialize the database to store data generated when a managed host has resource activity collection enabled:

    Initialize-QDataGovernanceActivity -ConnectionString "<Connection string to activity database>"

    Note: Ensure the connection string's Initial Catalog value (Database value if using Windows authentication) matches the name you specifies in the sql script when creating the Data Governance Resource Activity database.

  14. Restart the Data Governance service.

    Note: It might take a few minutes before the Data Governance topology harvest task begins.

Data Governance service options

The Data Governance service installer is included in the autorun and can be found in the QAM module's directory. For example, C:\<DGE Build>\Modules\QAM\dvd\DataGovernance_ServerComponentsInstaller_x64.msi.

NOTE: Only a 64-bit version is available.

The following options are available when using the Windows Installer .msi to install the Data Governance service.

NOTE: Log on to the Data Governance server with an account with administrative access and run the Data Governance Server installation msi from the command line, providing the options as described below.
Table 5: Data Governance service command line options
Option Description
INSTALLDIR="<Installation Directory Path>"

Use this option to specify the folder on the local system into which the Data Governance service is to be installed.

QAMDEPLOYMENT="<DGE Deployment Name>"

Use this option to specify a unique name for the Data Governance Edition deployment.

The deployment name has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

NOTE: If no deployment name is specified, the default deployment name of "DEFAULT" is used.
QAMPORT="<port number>"

Use this option to specify the net.tcp port to be opened on the Data Governance service.

NOTE: If no port is specified, the default port of 8722 will be used.
SERVICEACCOUNT="<DOMAIN\UserName>"

Use this option to specify the service account to be used to access the One Identity Manager database.

NOTE: This is required if you are using Windows authentication to access the database.
SERVICEACCOUNTPASSWORD="<Password>"

Use this option to specify the password associated with the service account.

NOTE: This is required if you are using Windows authentication to access the database.

Data Governance agents

The One Identity Manager Data Governance Edition Deployment Guide provides details on adding managed hosts and deploying Data Governance agents; the information provided here is intended to provide more information about this deployment process and the Data Governance agents.

Agent deployment process

  1. The Data Governance service pushes the "QRemoteExecutorService.exe" file onto the agent host under a hidden folder:

    \\AgentHost\admin$\Broadway\AgentManagement

  2. The Remote Executor is started on the agent, determines the agent architecture, and sends the data back to the Data Governance service.
  3. The Data Governance service pushes the correct agent installer to the same location as the Remote Executor.
  4. The Remote Executor installs the agent to %ProgramFiles%\One Identity\One Identity Manager Data Governance\Agent Services by default.
    1. Local agents are named "DGE_<DeploymentName>_LocalHost"

      Example: DGE_DEFAULT_LocalHost

    2. Remote agents are named "DGE_<DeploymentName>_<FQDN of managed host>"

      Example: DGE_DEFAULT_flowernetapp_flowers_local

    3. SharePoint Farm agents are named "DGE_<DeploymentName>_Sharepoint"

      Example: DGE_DEFAULT_Sharepoint

      NOTE: For multi-agent SharePoint managed hosts, an number is appended to the end of the agent service name.

      Example: DGE_DEFAULT_Sharepoint_1, DGE_DEFAULT_Sharepoint_2, DGE_DEFAULT_Sharepoint_3, and so on.

    4. SharePoint Online agents are named "DGE_<DeploymentName>_SharePointOnline_<Office 365 Host>"

      Example: DGE_DEFAULT_SharePointOnline_DGEPROD.ONMICROSOFT.COM

    5. OneDrive for Business agents are named "DGE_<DeploymentName>_OneDriveBusiness_<Office 365 Host>"

      Example: DGE_DEFAULT_OneDriveBusiness_DGEPROD.ONMICROSOFT.COM

  5. The Data Governance service grants the service account used for agent deployment a few local privileges, including:
    1. SE_SERVICE_LOGON_RIGHT
    2. SE_TCB_NAME
    3. SE_RESTORE_NAME
    4. SE_BACKUP_NAME
Verwandte Dokumente