Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 9.1.1 - Deployment Guide

One Identity Manager Data Governance Edition Deployment Guide Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting NetApp managed host deployment EMC managed host deployment SharePoint Farm managed host deployment

Adding a cloud managed host

Data Governance Edition supports the scanning of folders hosted on SharePoint Online and OneDrive for Business.

NOTE: Before adding a cloud managed host, One Identity Manager must be configured to use Azure Active Directory and SharePoint Online. See the following One Identity Manager documents for instructions on configuring and synchronizing the data from these target systems with the One Identity Manager Service:

  • One Identity Manager Administration Guide for Connecting to Azure Active Directory
  • One Identity Manager Administration Guide for Connecting to SharePoint Online

These One Identity Manager documents can be found on the One Identity support site: https://support.oneidentity.com/identity-manager/technical-documents

To add a cloud managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view, select Manage Cloud host from the Tasks view or right-click menu.

    You are redirected to Microsoft to sign in to your account and grant access to Office 365 data.

  3. On Microsoft's Sign in to your account dialog, enter the administrator account login credentials to be used to authenticate with the Data Governance Edition API cloud proxy.

    Note:Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.

    Note: You must use a separate administrator account for this purpose. This administrator account must be, or have equal access as, a SharePoint Online Administrator. Each site will be modified to list this account as a Site Collection Administrator for the site. This provides the account with access to the site's contents.

    1. Email, phone, or Skype: Enter the email address of the administrator account to be used to grant access to your Office 365 domain. For example: Administrator@MyDomain.onmicrosoft.com.

      Click Next.

    2. Password: Enter the password associated with the specified email.

      Click Sign In.

    After successfully signing in, the Managed Host Settings dialog appears allowing you to configure your cloud managed host.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This field will remain blank.
    2. Host Type: Select the type of cloud provider: SharePoint Online or OneDrive for Business.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  5. The Cloud Provider page displays a green check mark and message indicating you are authenticated with your Office 365 domain. If you do not see this green check mark and authentication message, use the Re-authenticate button to authenticate with the cloud API proxy.
  6. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    Note: You can only specify one agent to scan a cloud host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target managed host.
    3. Select the service account: Select a service account with sufficient permissions on the selected agent host.

      Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click Add to add the agent to the agents list.

    For more information, see Agents page.

  7. Use the Managed Paths page to specify the folders under the Documents site to be to be scanned by the agent to create and maintain the security index.

    Note: OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

    For SharePoint Online, a site is available for managing, only if it can be navigated on the SharePoint Online website.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. In the Managed Paths Picker dialog, click the check box to the left of the folders to be scanned.

      TIP: A check box appears to the left of the folders that can be selected. Click the expansion box to the left of a container to expand it and navigate to the folders available for scanning.

    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  8. By default, remote agents scan cloud-based managed hosts daily at 2:00 A.M. Use the Security Scanning page to set the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.

    For more information, see Security Scanning page.

  9. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the resources on the target managed host using the Resource browser. Double-click the managed host in the Managed hosts view to display the Resource browser.

Managed host configuration settings

Managed hosts must be properly configured for security scanning (and resource activity collection, if applicable) to begin. An agent must be configured to communicate with the server and gather resource information. Until this is completed, no security information will be stored or indexed for this computer. Agents are configured when you add or edit a managed host.

  • Real-time security updates in the context of Data Governance Edition refers to the monitoring of changes to the file system caused by create, delete, and rename operations, as well as DACL, SACL and Owner changes, in order to maintain the security index. These real-time security updates are not monitored by default, but can be configured on the Security Scanning page of the Managed Host Settings dialog.

    Note: Enabling real-time security updates for NAS devices requires additional configuration on the NAS device itself. For more information, see EMC managed host deployment and NetApp managed host deployment.

  • When enabled, resource activity is collected in real time, compressed, and then stored in the Data Governance Resource Activity database. Historical activity data can then be used to calculate a resource's perceived owner and to generate activity-related reports. Use the Resource Activity page of the Managed Host Settings dialog to enable and configure resource activity collection and aggregation.
  • Managed paths will be scanned for security access information and if enabled, for collecting resource activity.

The available configuration settings vary depending on the type of managed host, as shown in the following table. Yes indicates that the settings can be configured.

Table 16: Configurable managed host settings
Managed host type Resource activity Real-time security updates Security scanning Managed paths Service accounts
Local Windows Computer

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

By default, scanning starts immediately once an agent is deployed.

Yes

By default, all NTFS drives are scanned if no managed paths are specified.

No service account is required as the agent runs as the Local System.

Windows Cluster / Remote Windows Computer N/A

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with Local Administrator rights on the managed host. The agent scanning the host runs under the service account.

NetApp 7-Mode and Cluster-Mode CIFS Devices

NetApp 7-Mode and Cluster Mode NFS Devices

Yes

Not collected by default.

Requires FPolicy

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be a member of the local Administrators group on the NetApp 7-Mode filer in order to create FPolicy. This account must also have permissions to access folders being scanned.

EMC CIFS Devices

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

The service account for an agent managing EMC Isilon storage devices, must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

EMC Isilon NFS Devices

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

SharePoint Farm

Yes

Not collected by default.

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)); must be a member of the administrators group on SharePoint server. The agent scanning the host runs under the service account.

Cloud (for example, SharePoint Online)

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account which becomes the agent run as account. This account is not used to connect to the Cloud provider.

Generic

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

Distributed File System

Yes

Not collected by default.

N/A

N/A

N/A

N/A

Related Topics

Managed host settings dialog

Editing managed host settings

Customizing default host settings

Managed host settings dialog

The Managed Host Settings dialog allows you to define the configuration settings for new managed hosts. This dialog appears when you select one of the following tasks from the Managed hosts view:

  • Manage host
  • Manage multiple hosts
  • Manage NFS host
  • Manage Cloud host
  • Edit host settings

This dialog contains the following controls.

Table 17: Managed Host Settings dialog: Controls
Control Description
Managed Host

Specifies the managed host to be added.

  • For local managed hosts, this is a read-only field that displays the name of the host computer selected in the Managed hosts view.
  • For remote managed hosts, including supported EMC and NetApp storage devices with CIFS file system protocol enabled, this is a read-only field that displays the name of the host computer selected in the Managed hosts view.
  • For cloud managed hosts, this field is blank when using the Manage Cloud host task. However, it displays the <DomainName>.onmicrosoft.com host name when using the Edit host settings task.
  • If multiple hosts are selected, <Multiple Managed Hosts> appears in this field.
  • For NFS managed hosts, enter the IP address or fully qualified domain name of the NFS host computer to be managed.
Host Type

Select the type of managed host to be added to the Data Governance Edition deployment.

When using the Manage host or Manage multiple hosts task, the options available depend on the host computer selected in the Managed hosts view. Valid managed host types include:

  • EMC Celerra/VNX Device
  • EMC Isilon Device
  • Generic Host Type
  • Local Windows Computer
  • NetApp OnTap Cluster Mode CIFS Device
  • NetApp OnTap 7-Mode CIFS Device
  • SharePoint Farm
  • Windows Cluster/Remote Windows Computer

When using the Manage NFS host task, you must select one of the following host types:

  • EMC Isilon NFS Device
  • NetApp Cluster NFS Device
  • NetApp 7-Mode NFS Device

When using the Manage Cloud host task, you must select one of the following host types:

  • SharePoint Online
  • OneDrive for Business

When using the Edit host settings task, this is a read-only field that specifies the type of host.

Agent Install Path

By default, the agent will be installed in the Data Governance Server installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

When you deploy an individual agent, you can use this field to specify an alternate agent installation. To specify an alternate installation directory, enter a local path (for example C:\Mypath) that does not exceed 512 characters.

NOTE: If there is an existing agent on the machine, you cannot install another agent with a different installation directory. All agents must be installed in the same directory.

NOTE: If required, use the Customize default host settings task to define an alternate default installation directory for deploying new agents. When you opt to set the installation directory for an individual agent using the Agent Install Path field on the Managed Host Settings dialog, it will take precedence over the default agent installation location defined on the Customize default host settings dialog.

Keywords (Optional) Enter a keyword which can then be displayed and used to group your managed hosts on the Managed hosts view.
NIS Host

Use the NIS Host page to select the Network Information Systems (NIS) server whose users and groups have been synchronized with One Identity Manager.

NOTE: This page only applies to NFS managed hosts.

For more information, see NIS Host page.

Credentials page

Use the Credentials page to provide user credentials that can establish a connection with the NAS device.

  • For NetApp hosts, the user must have the "ontapi" User Login Method application.
  • For EMC hosts, this account must have the "Platform API" privileges applied.

NOTE: This page only applies to NFS managed hosts and NetApp OnTap Cluster Mode CIFS managed hosts.

For more information, see Credentials page.

Cloud Provider

The Cloud Provider page indicates if you are successfully authenticated with the Data Governance Edition API cloud proxy and can also be used to re-authenticate to the cloud proxy.

NOTE: This page only applies to Cloud managed hosts.

For more information, see Cloud Provider page.

Agents page

Use the Agents page to configure the agents to be used to monitor a remote managed host or SharePoint managed host.

NOTE: This page only applies to remote managed hosts and SharePoint managed hosts.

For more information, see Agents page.

Managed Paths page

Use the Managed Paths page to define the paths to be managed by Data Governance Edition. These managed paths will be scanned for security access information and if enabled, for collecting resource activity.

Click the Add button to display the Managed Paths Picker dialog, where you can then navigate to and select the paths to be scanned.

For more information, see Managed paths page.

Security Scanning page

Use the Security Scanning page to set the schedule and settings for scanning agents for changes to the structure and security of the file system.

For more information, see Security Scanning page.

Resource activity page

Use the Resource Activity page to configure the collection and aggregation of resource activity for the target managed host.

NOTE: Not available for Windows Cluster/Remote Windows Computer, Generic, or Cloud managed hosts.

For more information, see Resource activity page.

OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Related Topics

Adding a local managed host (Windows computer)

Adding a Windows cluster / Windows computer as a remote managed host

Adding a generic managed host

Adding a Distributed File System (DFS) root managed host

Adding a SharePoint farm managed host

Adding a NetApp CIFS device as a managed host

Adding an EMC CIFS device as a managed host

Adding an NFS managed host

Adding a cloud managed host

Editing managed host settings

NIS Host page

Select a Network Information Service (NIS) server whose users and groups have been synchronized with One Identity Manager.

NOTE: This page only applies to NFS managed hosts.

Table 18: NIS Host page: Controls and settings
Control/setting Description
NIS Host

Select the NIS server to be managed.

The NIS servers previously synchronized with One Identity Manager (UNIX synchronization project) are listed in the drop-down menu.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen