Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.5 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Managed host deployment

A managed host is any network object that can host resources and can be assigned an agent to monitor security and resource activity. Currently supported hosts include Windows computers, Windows clusters, NetApp storage devices, EMC storage devices, DFS, and SharePoint farms.

You can also add generic managed hosts (Server Message Block (SMB) shares running on any Active Directory joined computer) to remotely scan their resources.

The following commands are available to you to deploy managed hosts. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 159: Managed host deployment commands

Use this command

If you want to

 

Add-QDfsManagedHost

Register a domain-based distributed file system root. This enables you to view and manage the access on resources that are physically distributed throughout your network.

For more information, see Add-QDfsManagedHost.

 

Add-QManagedHostByAccountName

Add a managed host to your deployment and configure its settings.

For more information, see Add-QManagedHostByAccountName.

NOTE: This cmdlet does not support adding Cloud managed hosts.

 

Clear-QResourceActivity

Clear the resource activity for a given managed host. This enables you to remove activity data from the database on demand when it is no longer required.

For scheduled activity cleanup, use the activity compression/deletion settings in the Data Governance server configuration file instead.

NOTE: Once you clear the activity, it cannot be recovered.

For more information, see Clear-QResourceActivity.

 

Get-QHostsforTrustee

View a selected user or group’s access on all managed hosts in your environment.

For more information, see Get-QHostsForTrustee.

 

Get-QManagedHosts

View a list of all the managed hosts in your deployment.

NOTE: If you are interested in only one managed host, you can specify the host's name or the ID (GUID format) of the managed host. You can also specify all the managed hosts in a particular container.

For more information, see Get-QManagedHosts.

 

Remove-QManagedHost

Remove a managed host from your deployment.

For more information, see Remove-QManagedHost.

 

Set-QManagedHostProperties

Change the properties of a managed host.

NOTE: You must know the managed host ID

For more information, see Set-QManagedHostProperties.

 

Set-QManagedHostUpdated

Inform the Data Governance server that the managed host state should be updated.

For more information, see Set-QManagedHostUpdated.

 

Trigger-QDfsSync

By default the Data Governance server synchronizes the DFS structure into the One Identity Manager database every 24 hours. Use this cmdlet to force a DFS synchronization of a DFS managed host, making the DFS path immediately available within the Resource browser.

NOTE: You must specify the ID (GUID format) of the managed host to be synchronized. To synchronize all of the DFS managed hosts in your deployment, set the ManagedHostID to All.

For more information, see Trigger-QDfsSync.

 

Add-QDfsManagedHost

Registers a domain-based distributed file system (DFS) root with Data Governance Edition. This enables you to view and manage the access on resources that are physically distributed throughout the network. Once added, the Data Governance server periodically synchronizes the DFS structure into the One Identity Manager database making the DFS path available within the Resource browser.

Note: The domain specified must be managed.

Syntax:

Add-QDfsManagedHost [-ManagedDomain] <String> [-DfsRoot] <String> [<CommonParameters>]

Table 160: Parameters
Parameter Description
ManagedDomain

Specify the NetBIOS or DNS name of a managed domain.

Run the Get-QManagedDomains cmdlet to retrieve a list of all managed domains in your Data Governance Edition deployment.

DfsRoot

Specify the name of the distributed file system root in the managed domain.

Examples:
Table 161: Examples
Example Description
Add-QDfsManagedHost --ManagedDomain 'anchor.acme.com' -DfsRoot 'software' Registers the domain-based distributed file system root "\\anchor.acme.com\software", where "anchor.acme.com" is the domain and "software" is the DFS root.

Add-QManagedHostByAccountName

Registers a computer as a managed host with your Data Governance Edition deployment and configures its settings.

A managed host is any network objects that can host resources and can be assigned an agent to monitor security and collect resource activity. Currently supported hosts include:

  • Local Windows computer
  • Windows Cluster/Remote Windows computer
  • Generic resource (that is, a Server Message Block (SMB) share running on any Active Directory joined computer)
  • Distributed File System (DFS) root
  • SharePoint farm
  • EMC storage device with CIFS file system protocol enabled
  • NetApp 7-Mode filer with CIFS file system protocol enabled
  • NetApp Cluster-Mode filer with CIFS file system protocol enabled
  • EMC Isilon storage device with NFS system protocol enabled
  • NetApp 7-Mode filer with NFS file system protocol enabled
  • NetApp Cluster-Mode filer with NFS file system protocol enabled

Note: This PowerShell cmdlet does not support adding Cloud managed hosts.

Once you have added a managed host, you can begin to manage the data contained within it.

Syntax:

Add-QManagedHostByAccountName [-HostAccountName] <String[]> [[-Keyword] [<String>]] [[-ResourceActivityEnabled] [<SwitchParameter]] [[-Granularity [<Int32>]] [[-ExcludedTrusteesImportFile [<String>]] [[-ExcludedFileTypesImportFile] [<String>]] [[-ExcludedFoldersImportFile] [<String>]] [[-AgentHostName] [<String>]] [[-SelectedDataRoots] [<String>]] [[-ScheduleType] [<QAM.Common.Interfaces.ScheduleConfiguration+ScanScheduleType>]] [[-RunOnDays] [<String>]] [[-ScheduledTime] [<String>]] [[-ScanInterval] [<Int32>]] [[-ServiceAccountId] [<String>]] [[EnableRemoteFileSystemChangeWatching] [<SwitchParameter>]] [[-PerformImmediateScanOnWatchError] [<SwitchParameter.]] [[-OverrideScanScheduleOnStartup] [<Boolean>]] [[-HostType] [<QAM.Common.Interfaces.ManagedHostInfo+HostTypes>]] [-DataRootType [<String>]] [[-IsManagedResourceHost] [<Boolean>]] [[-IgnoreFiles] [<SwitchParameter>]] [<CommonParameters>]

Table 162: Parameters
Parameter Description
HostAccountName

Specify the managed host account name.

Keyword

(Optional) Specify a keyword that can be used to group managed hosts in the Managed host view of the Manager.

ResourceActivityEnabled

(Optional) Specify this parameter to enable resource activity collection.

Resource activity collection is disabled by default. You can, enable it for locally managed Windows servers, SharePoint farms, and supported NetApp and EMC remotely managed hosts. It is used to collect data on identities, reads, writes, creates, deletes, renames and security changes on securable objects. This information is required for several report types, including the Resource Activity report.

Granularity

(Optional) Specify how often (in minutes) you would like to synchronize and aggregate the data. That is, this is the amount of time the agent is to record new activity before sending results to the Data Governance server. The value entered will be changed to a valid aggregation interval, as follows:

  • Values less than 10 minutes will be set to 5 minutes.
  • Values between 10 minutes and 2 hours will be set to 1 hour.
  • Values between 2 hours and 15 hours will be set to 8 hours.
  • Values greater than 15 hours will be set to 1 day.

NOTE: Identical activity generated during this time will be recorded as one activity.

ExcludedTrusteesImportFile

(Optional) Specify the path to a file containing a list of accounts to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

ExcludedFileTypesImportFile

(Optional) Specify the path to a file containing a list of file types to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

ExcludedFoldersImportFile

(Optional) Specify the path to a file containing a list of the folders on the computer (paths) to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

AgentHostName For remote managed hosts, provide the name of the computer where the scanning agent will reside.
SelectedDataRoots

Specify one or more NTFS directories (or a point in your SharePoint farm hierarchy) to be scanned by the agent. By default, everything under a selected data roots (paths) is scanned.

For remote managed hosts and SharePoint hosts, define the paths to be scanned.

For local managed hosts, the agent performs a full scan of the computer by default; however, you can optionally specify the paths to be scanned by the agent. Once configured, only those managed paths are scanned.

ScheduleType

Specifies the time and frequency with which the agent scans the target computer. Valid values are:

  • DaysOfWeek: Use to specify a daily scan schedule. If you specify this value, you must also specify the RunOnDays and ScheduledTime parameters.
  • Interval: Use to scan the target computer on an hourly interval instead of a daily schedule. If you specify this value, you must also specify the ScanInterval parameter.
  • RunOnce: Use to scan the target computer only one time.

This parameter is required for remotely scanned managed hosts.

RunOnDays

If the ScheduleType is set to "DaysOfWeek", specify the days you would like the agent to scan the managed host.

The syntax is DayOne for Sunday, DayTwo for Monday, etc. For example, to set a scan schedule for Monday, Wednesday and Friday, you would specify ScheduledDays DayTwo,DayFour,DaySix.

For remote managed hosts, optionally specify this parameter to define the days of the week to be included in the scan schedule.

If this parameter is not specified, all days of the week are included by default.

ScheduledTime

If the ScheduleType is set to "DaysOfWeek", specify the time of day when the scan is scheduled to start.

The syntax is, hh:mm:ss. For example, to start a scan at 4 a.m., specify -ScheduledTime 4:00:00; for 6 p.m., specify -ScheduledTime 18:00:00.

For remote managed hosts, optionally specify this parameter to define the time of day when the scan is scheduled to start.

If this parameter is not specified, the default start time is 2:00:00 AM.

ScanInterval

If the ScheduleType is set to "Interval", specify the interval (in hours) at which the agent will scan the managed host.

For example, to scan every 4 hours, specify -ScanInterval 4.

If this parameter is not specified, the default is 24 hours (or 1 day).

ServiceAccountId

If deploying a remotely managed host, you must supply the GUID of the service account that the agent will use to access the remote managed hosts files.

Run the Get-QServiceAccounts cmdlet to get a list of service accounts registered with Data Governance Edition and their IDs.

EnableRemoteFileSystemChangeWatching

(Optional) Specify this parameter if you want to collect activity for real-time security updates for the scanned managed host.

NOTE: Real-time security updates in the context of Data Governance Edition refers to the monitoring of changes to the file system caused by create, delete, and rename operations, as well as DACL, SACL and Owner changed, in order to maintain the security index. These real-time security updates are not monitored by default.

OverrideScanScheduleOnStartup

(Optional) Set this flag when you want the agent to do a full scan immediately when the agent is added, or perform a rescan when the agent service is restarted.

Valid values are:

  • 1 or $true: Perform scan when agent is started or restarted. (Default for local managed hosts).

    If the parameter is specified without a value, set to $true and perform a full scan when agent is started or restarted.

  • 0 or $false: Do not perform scan when agent is started or restarted. (Default for remote managed hosts.)

    If the parameter is not specified, set to $false and do not perform a full scan when agent is started or restarted.

For example, to override the scan schedule when an agent is started or restarted: -OverrideScanScheduleOnStartup 1

HostType

(Optional) Specify the type of computer the agent will be monitoring. Valid values include:

  • WindowsServer (Default)
  • OnTapDevice
  • CelerraDevice
  • WindowsCluster
  • SharePointFarm
  • GenericHostType
  • DistributedFileSystemRoot
  • IsilonDevice
  • IsilonNfsDevice
  • OnTapNfsDevice
  • OnTapClusterNfsDevice
  • OnTapClusterCifsDevice

If this parameter is not specified, WindowsServer is the default host type.

DataRootType

(Optional) Specify the type of data root. Valid values include:

  • Share
  • Folder

If this parameter is not specified, defaults to Folder.

IsManagedResourceHost

(Optional) Specify this parameter if you want this managed host to be used to host managed resources (for example, file shares created through the IT Shop self-service request functionality).

  • $false: (Default) Can not host a managed resource
  • $true: Can host a managed resource
IgnoreFiles

(Optional) Specify if you want the scanner to include files that have explicit permissions set. If this switch parameter is not present, the managed host scanner will ignore files.

This flag is purely for scanning optimization.

Examples:
Table 163: Examples
Example Description

Add-QManagedHostByAccountName -HostAccountName QAMAUTODC -Keyword QAMAUTO3 -SelectedDataRoot "\\qamautodc\C$\autoroot

Adds a local managed host to the computer "QAMAUTODC", with a keyword of QAMAUTO3. The data root is set to \\qamautocd\C$\autoroot, which means that the agent will only scan this folder and its subfolders on the managed host.

Add-QManagedHostByAccountName -HostAccountNames QAMAUTODC -Keyword QAMAUTO -SelectedDataRoot "\\qamautodc\C$\autoroot" -AgentHostName QAMAUTOMEM1 -ServiceAccountId b0a0e218-55c1-41d7-9585-bf7578ad1130 -ScheduleType Interval -ScanInterval 1 -EnableRemoteFileSystemChangeWatching OverrideScanScheduleOnStartup

Deploys a remotely scanned managed host, with the agent being hosted on "QAMAUTODC", with a keyword of QAMAUTO. The dataroot is set as "\\qamautodc\C$\autoroot", For remote managed hosts, you must also include a service account ID, because these are the credentials that the type is set as Interval and the scan interval is set as 1. Remote file resource activity collection is enabled as is override scan schedule on startup. IncludeFiles switch is not included, so the default applies; the scanner will ignore files.

Add-QManagedHostByAccountName -HostAccountName QAMAUTODC -Keyword QAMAUTO3 -SelectedDataRoot "\\qamautodc\C$\autoroot" -IsManagedResourceHost $true

Adds a local managed host that supports the creation of managed resources.

Add-QManagedHostByAccountName SharePoint_ConfigVmset6 vmset6 -AgentHostName QAM-SP2010-DJ -ServiceAccountId 0ca68d5f-f392-453c-9c50-1784332fe3c7 -ResourceActivityEnabled -Granularity 480 -ScheduleType Interval -ScanInterval 1 -OverrideScanScheduleOnStartup -HostType "SharePointFarm" -SelectedDataRoots "SharePoint_ConfigVmset6/SharePoint - 80/My Wiki/My Wiki/Documents|sp://titan/0ee296d6-dea5-4f4d -950f-27c06458cad1/57947f70-c2b0-4d76-a8b3-ac54fa5bb4ab/15c4fc23-b986-4937-890c-d387125d3114/My%20Wiki/Documents"

Adds a SharePoint managed host with one managed path with resource activity enabled.

Clear-QResourceActivity

Clears the resource activity for a given managed host. This enables you to remove activity data from the Data Governance Resource Activity database on demand when it is no longer required.

Note: Once activity data is cleared from the database, it cannot be recovered.

Syntax:

Clear-QResourceActivity [-ResourceNodeId] <Int32> [<CommonParameters>]

Table 164: Parameters
Parameter Description
ResourceNodeId

Specify the resource node ID of the managed host for which resource activity is to be cleared. This ID is used to link the managed host back to the activity database.

Run the Get-QManagedHosts cmdlet to retrieve a list of managed hosts and associated IDs.

Examples:
Table 165: Examples
Example Description
Clear-QResourceActivity -ResourceNodeId 21 Clears the resource activity from the database for the specified managed host.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen