Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager Data Governance Edition 8.2 - Release Notes

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue Issue ID

Data Governance Edition does not handle computer name changes automatically. If a computer's name is changed after it has been registered as a managed host, some functions will not operate correctly. If a managed host computer is renamed, it must be removed and added again with the new name.

42129

Table 4: Installation and upgrade known issues
Known Issue Issue ID

If you use the MSIExec.exe command to install the Data Governance server to a non-default location, you will be required to perform future upgrades to the server in the same manner. If the installation path is not specified when the upgrade is performed, the custom installation is removed and the new version is installed to the default location of %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition.

313477

Upgrading the Data Governance server reverts the "run as" of the server service to Local System. The service must be reinstalled running as the previously configured account.

To resolve this issue, when installing the new version of the Data Governance server, leave the installer Retry/Cancel dialog open when prompted, run the Service Control Manager, and switch the account on the Data Governance server from local system back to the original service account. Then click Retry in the installer dialog, and the installation should complete successfully.

359129

The Data Governance Configuration wizard is not detecting the existing Resource Activity database name. If you are not using the default name for your Resource Activity database, on an upgrade you must enter the "custom" database name on the Data Governance activity database page of the Data Governance Configuration wizard.

592431
After upgrading the Data Governance service to version 8.0, existing agents will initially connect; however, after an agent restart, they will no longer connect, displaying a "Waiting to connect" state, and must be upgraded.  
Table 5: Resource activity known issues
Known Issue Issue ID

If a volume is mounted as a drive letter and as a folder path, and changes are made through the folder path - the Activity reports show the drive letter as the path for activity.

148588

The SharePoint system account will be automatically filtered from resource activity.

320562

When you restart a NetApp filer, the Data Governance agents scanning that filer must also be restarted as they do not automatically register the required FPolicy.

417143

Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts. 629701

EMC VNX activity collection is not supported for devices with multiple CIFS exposed virtual data movers.

 

EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.

 

If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition.

 

When integrating with Change Auditor version 6.9.x, no activity is being reported in Data Governance Edition.

There is a Change Auditor 6.9 hotfix now available to fix this integration. Please contact One Identity technical support for the latest Change Auditor hotfix.

 

Table 6: SharePoint known issues
Known Issue Issue ID

The SharePoint account SHAREPOINT\system displays in Account access as NULL SID.

202555

In the Group Memberships tab, the location for SharePoint groups displays the URL instead of the friendly path for the group.

213029

In the Accounts view, renamed SharePoint groups do not show the new name after a rescan.

213906

When creating a new site collection on a farm where the SharePoint Auditing farm solution is enabled, you may see an error indicating that the farm solution is already activated. If this occurs, re-create the site collection.

215381

Exceptions occur during security index scans if web app policy denies rights to a farm account, even if the web app is not a selected security index root.

253558

Once data is placed under governance, a user or group's Limited access permission will be changed to the AllowRead permission.

271856

Retrieval of security for SharePoint hidden lists (such as Converted Forms) through Data Governance Edition may incorrectly list the security for its parent folder regardless of inheritance.

314472

For SharePoint 2010 farms, you may need to wait several minutes during agent install before managed paths can be successfully configured.

388288

For SharePoint 2010, initial scans do not occur as expected if there is a delay in setting dataroots for newly deployed managed hosts.

Workaround: Wait for the scan schedule to lapse or restart the agent.

418369

SharePoint and Windows security scans add nested groups to the security index. The default behavior is to add an entry for every trustee that has been found to be directly ACL'd on a managed host. The SharePoint and Windows security scan behavior does not cause any harm, it is simply inconsistent with the expected behavior.

598090

Running Manage Access on a user/employee with a SharePoint user account type in the Security Index view logs an error: Requested value 'domain\user' was not found.

Workaround: Run another SharePoint synchronization.

667557

In the web portal, the target accounts picker accessed from the "Edit subscription settings" window for an Account Access report shows the Claims Identity for SharePoint resources instead of the employee name.

675807

Table 7: Object naming known issues
Known Issue Issue ID

Data Governance Edition may incorrectly represent the names of certain Built-in groups, such as Administrators and Power Users, if these groups have been renamed.

This does not affect the underlying functionality of Data Governance Edition, just the display names of these groups.

114243

Table 8: Machine local groups known issues
Known Issue Issue ID

If a machine local user or group is renamed after it has been originally added to the Data Governance index, any subsequent name changes will not be properly reflected in the client.

70422

Table 9: Agent known issues
Known Issue Issue ID

Network configuration changes may not be reflected in the agent connection information. If the network configuration of a managed host changes such that outgoing connections become blocked, the agent on that computer may be incorrectly reported as operating in Active mode. Additionally, queries against this agent may not be processed. To resolve this situation, restart the agent to renegotiate the connection.

45912

If you attempt to export an agent log from a client, ensure the agent state is set to OK. If the state is not set to OK, the process will fail.

Workaround: Go to the agent installation directory, right-click the DataGovernance.Agent.exe.dlog file for the agent in question, and choose Copy.

178061

Table 10: Managed paths (formerly referred to as Security index roots) known issues
Known Issue Issue ID

When deploying remote agents, it is sometimes possible to select roots that the specified service account cannot access. Ensure that the service account being selected for agent deployment can read the target.

110236

C$ and ETC$ are not valid as managed paths for NetApp filers.

177265

Table 11: Security modifications known issues
Known Issue Issue ID

Removal of inherited and explicit entries in the security editor should be performed as two separate operations. When removing permissions in the security editor, if both explicit and inherited permissions are present in the selection, you will be prompted to confirm how to remove the inherited permissions. If the Copy from Parent option is selected, the permissions originally selected for removal will not be removed. A subsequent removal of the explicit permissions will properly remove the rights.

99724

Do not manipulate security on the computer's recycle bin as this can cause consistency issues with the content of the recycle bin itself.

105477

Adding machine local objects to a folder ACL on a NetApp filer using the Data Governance security editor is not supported. When navigating to a folder using a share path through the Resource browser or security editor, attempting to add a machine local ACE from the filer on the folder ACL will fail.

154142

You may receive an error when editing security, through the Manage Access view, for renamed resource on devices with a configured scanning schedule. It is recommended to use the Resource browser to complete this action.

215371

Table 12: Reporting known issues
Known Issue Issue ID

Local reads of .txt files using notepad – no read event appears on activity reports. Account Activity and Resource Activity reports include events as they are conveyed by the system where the activity occurred. In some instances, certain applications do not report events as they may be expected by the user. This is the expected behavior of the application and Data Governance Edition, in most cases, is limited by what is reported by the operating system.

149909

If agents are not in an OK or Data available state, data from these agents will not be included in reports.

369565

Data Owners vs. Perceived Owners report in web portal does not allow you to select the root folder of a DFS link, therefore, the report can not be generated for that folder.

Workaround: Select the root folder using the Grid view instead of the Tree view in the web portal.

648054
Table 13: Group membership known issues
Known Issue Issue ID

Domain Built-in groups may not show access points on any managed host when selected from the tree view in the detailed Accounts view. To see this information, you must select the Built-in Group and run a Manage Access query that will return information on the Built-in group.

155748

Table 14: Built-in users known issues
Known Issue Issue ID

Only well-known accounts (such as Everyone and Authenticated Users) are returned when the Built-in filter is selected. Other Built-ins, such as administrators and users, are returned as groups.

109347

Table 15: NetApp managed host known issues
Known Issue Issue ID

Cloning an account on a NetApp managed host is not supported.

208968

Adding rights to a folder on a NetApp managed host is not supported.

208975

If you wish to collect security changes from your NetApp filer using Change Auditor, and you are also using Data Governance Edition to collect activity, you must disable cifs_setattr on the Data Governance FPolicy. In addition, you should not select to collect real-time security updates in Data Governance Edition. NetApp will not send the security change to more than one FPolicy. 262027
Table 16: Shared managed resource process known issues
Known Issue Issue ID

Configuration in a cross domain/forest scenario: In order to create the shared folder, the service account for the One Identity Manager job service requires extended permissions on the managed host server in the other domain/forest where the share root resides. That is, this service account requires permissions to create the share and add the groups to the share.

520543

Table 17: Governed data attestation known issues
Known Issue Issue ID

The Governed Data: Resource security deviation attestation shows no selected objects. That is, in the Manager when you select Change master data | Run attestation cases for single objects for a governed resource that has security deviations from its parent folder, the expected objects are not listed on the Run attestation cases for single objects dialog.

647709

Table 18: Cloud managed host known issues
Known Issue Issue ID

Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.

 

OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

 

Table 19: Identity Manager Application Server known issues
Known Issue Issue ID

Unable to assign user (Active Directory, UNS, SharePoint) accounts to an employee from Employees view in the Manager client when logged in through the Application Server.

Workaround: In some situations, using an Application Server connection with the Manager may not function as expected. Switching temporarily to a direct database connection should allow the function to succeed.

678767

Table 20: Third-party known issues
Known Issue Issue ID

Windows 2008

Unable to install an agent on a computer running Windows 2008.

To resolve this issue, download and install the VeriSign Class 3 Primary CA -G5 certificate in the local certificate store on the required target computers. The download is available here: https://www.symantec.com/page.jsp?id=roots.

352646

Windows Server 2012/2012 R2

Agents used to scan an EMC or NetApp filer cannot be hosted on Windows Server 2012 or 2012 R2. When the Data Governance server is hosted on Windows 2012/2012 R2, you cannot browse resources or set managed paths for the EMC or NetApp managed host. This is related to a known issue with Windows Server 2012/2012 R2.

Workaround: Use an alternative supported operating system to host the agent to scan the EMC or NetApp filer or set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force

For more details on the known issue, see http://support.microsoft.com/kb/2686098.

272220

Agent cannot access EMC or NetApp shares. After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2 or Windows 8, a "Windows cannot access <machine>" network error appears when attempting to access a share on the NAS device using the file explorer. The root cause is likely due to an incompatibility between your NAS device and SMB 2.0.

Workaround: Upgrade the FLARE code on your NAS device with support for SMB 2.2. If that is not feasible, disable SMB 2 in Windows Server 2012/2012 R2 or Windows 8.

For more details on the known issue and the proper solution, see http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/

596797

NetApp

Local user accounts created on a NetApp filer with a password longer than 14 characters, will not be included in the indexed information sent to the Data Governance server.

204302

Table 21: DFS host known issues
Known Issue Issue ID

Unable to browse a DFS link in the Manager application, when the DFS link belongs to a DFS host whose Active Directory domain has a non-conventional NetBIOS name (NetBIOS name can’t be extracted from the domain’s name).

Workaround: Edit the ‘DisplayValue’ of the managed DFS host in the ‘QAMNode’ table in the database. Replace the non-conventional NetBIOS name in the ‘DisplayValue’ with the domain name (without the parent-domain or top-level domain).

275342

Data Governance Edition system requirements

NOTE: Some of the system requirements for One Identity Manager have changed in version 8.1. Prior to upgrading Data Governance Edition, ensure that the minimum requirements for all of the One Identity Manager components are meet. See the One Identity Manager Installation Guide for full details on One Identity Manager's system requirements.

Before installing Data Governance Edition, ensure that your system meets the following minimum hardware and software requirements.

In addition, ensure that the minimum permissions and communication port requirements are met to ensure proper authentication and communication with Data Governance Edition components.

Data Governance server

The Data Governance server refers to the server where the Data Governance service is installed. This server must meet the following minimum system requirements.

Table 22: Minimum system requirements: Data Governance server
Processor quad core CPU
Memory 16GB RAM
Free drive space 100GB
Operating system

64-bit Windows operating systems:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
NOTE: Only a 64-bit server for Data Governance Edition is supported. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.
Software

.NET Framework 4.7.2

Database server

The Database server refers to the server hosting the One Identity Manager database. One Identity Manager supports SQL Server database systems.

The following system requirements must be met in order to install the database on a server for use with Data Governance Edition. Depending on the number of One Identity Manager modules and the accounts managed in One Identity Manager, the requirements for working memory, hard disk space, and processors may be significantly greater than the minimum requirements. For more details on the system requirements for One Identity Manager, see the One Identity Manager Installation Guide or One Identity Manager Release Notes.

Table 23: Minimum system requirements: Database server
Processor

8 physical cores with 2.5 GHz+ frequency (non-production)

16 physical cores with 2.5 GHz+ frequency (production)

NOTE: 16 physical cores are recommended on performance grounds.

Memory

In addition to One Identity Manager's memory requirements of 16 GB+ RAM (non-production) and 64 GB+ (production), Data Governance Edition requires an extra 16 GB of RAM.

Free disk space In addition to One Identity Manager's database server requirements of 100GB, Data Governance Edition requires an extra 30GB per million resources.
Operating system

64-bit Windows operating systems:

  • Note the requirements given by Microsoft for the SQL Server version you are using.
NOTE: The 64-bit requirement for Windows Servers is specific to Data Governance Edition.

UNIX and Linux operating systems:

  • Note the requirements given by the operating system manufacturer for SQL Server databases.

Software

Supported SQL Server versions are:

  • SQL Server 2017 Standard Edition (64-bit) with the current cumulative update
  • SQL Server 2019 Standard Edition (64-bit) with the current cumulative update

    NOTE: The cumulative update 2 for SQL Server 2019 is not supported.

  • Azure SQL Managed Instance

NOTE: For performance reasons, the use of SQL Server Enterprise Edition is recommended for live systems.

  • Compatibility level for databases: SQL Server 2017 (140)

  • Default collation: case insensitive, SQL_Latin1_General_CP1_CI_AS (recommended)

  • SQL Server Management Studio (recommended)

NOTE: The minimum requirements listed above are considered to be for general use. With each custom One Identity Manager deployment these values may need to be increased to provide ideal performance. To determine production hardware require-ments, it is strongly recommended to consult a qualified One Identity Partner or the One Identity Professional Services team. Failure to do so may result in poor database performance.

For additional hardware recommendations, read the KB article https://sup-port.oneidentity.com/identity-manager/kb/290330/how-to-configure-settings-as-per-the-system-information-overview, which outlines the System Information Overview available within One Identity Manager.

For installation and operation of a One Identity Manager database, the following database server and database settings are required.

Table 24: Database server settings
Property Value Comment

Language

English

 

Server Collation

Case insensitive

SQL_Latin1_General_CP1_CI_AS (recommended)

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Extreme transaction processing supported (is XTP supported)

True

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses. The database server must support extreme transaction processing (XTP). This function is activated by default in a standard installation.

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database. If XTP is not activated, the installation or update is not started.

SQL Server Agent

Started

Start the SQL Server Agent in the SQL Server Service Management Portal. You can log in to a SQL Server Agent as a domain user with Windows authentication or with a local system account.

The settings is checked by the Configuration Wizard before installing or updating the One Identity Manager database. If the SQL Server Agent is not started, the installation or update is not started.

Collation

SQL_Latin1_General_CP1_CI_AS

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Recovery model

Simple

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database. If the recovery model is not set to the value Simple, a warning is issued before installing or updating starts. You can ignore this warning.

For performance reasons, however, it is recommended you set the database to the Simple recovery model for the duration of the schema installation or update.

Compatibility level

SQL Server 2017 (140)

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Create Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics Asynchronously

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Arithmetic Abort enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Quoted Identifiers Enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Broker Enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Is Read Committed Snapshot On

True

The default setting fro transactions is AutoCommit. If transactions are required, they are opened explicitly.

These settings have proven to provide the best balance between data security and performance for One Identity Manager's massive parallel processing. Other translation modes are not supported by One Identity Manager.

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Parameterization

Forced

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Database file and data file group for memory-optimized tables

Required

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses.

For the creation of memory-optimized tables, the following prerequisites must be met:

  • A database file with the Filestream data file type must exist.
  • A memory-optimized data file group must exist.

Before installation or update of the One Identity Manager database, the Configuration Wizard checks whether these requirements are fulfilled.

In the Configuration Wizard, repair methods are available to create the database file and the data file group. The database file is created by the repair method in the directory of the data file (*.mdf).

For details about installation and operation of One Identity Manager database using Azure SQL Managed Instance, please refer to One Identity Manager Installation Guide: Identity Manager - Installation Guide (oneidentity.com).

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation