Get-QResourceActivity
Retrieves the activity associated with a resource. The results provide a granular list of activities recorded over a period of time that can be used to verify proper resource usage and make decisions on modifying access.
Note: Resource activity collection (and therefore, this cmdlet) is not supported for the following host types:
- Windows Cluster/Remote Windows Computer
- Generic Host Type
- EMC Isilon NFS Device
- SharePoint Online
- OneDrive for Business
Syntax:
Get-QResourceActivity [-ManagedHostId] <String> [-Resources] <String[]> [[-StartTime] [<DateTime>]] [[-EndTime] [<DateTime>]] [[-Exclusions] [<String[]>]] [[-ExcludedOperations] [<String[]>]] [<CommonParameters>]
Table 226: Parameters
| ManagedHostId |
Specify the ID (GUID format) of the managed host that you would like to see resource activity for.
Run the Get-QManagedHosts cmdlet without any parameters to retrieve a list of available managed hosts and their IDs. |
| Resources |
Specify the specific resource you would like to see resource activity for.
Specify NTFS resources in the following format: "C:\Share","C:\ADFS"
When specifying multiple resources, separate the resources with a comma. |
| StartTime |
(Optional) Specify the start date and time from which you want to see resource activity.
Specify the start time in the following format (UTC): "23/01/2016 10:36:30 PM" |
| EndTine |
(Optional) Specify the end date and time up to which you want to see resource activity.
Specify the end time in the following format (UTC): "23/01/2016 11:36:30 PM" |
| Exclusions |
(Optional) Specify the security identifier (SID) of the users to be excluded from the resource activity search.
Specify the SIDs to exclude using the following format: domain: S-1-5-21
Example: TSX:S-1-5-21-3263556741-3296809600-1972185209-1104 |
| ExcludedOperations |
(Optional) Specify the operations to be excluded from the resource activity search. Valid values are:
- Create
- Delete
- Read
- Rename
- Security Change
- Write
When specifying multiple operations, separate the operations with a comma. |
Examples:
Table 227: Examples
| Get-QResourceActivity "ce21c3ec-3b79-4225-955a-c54cb46790f1" "C:\Share","C:\ADFS" |
Retrieves all activity on the specified managed host for the "C:\Share" and "C:\ADFS" folders. |
Details retrieved:
Table 228: Details retrieved
| NodeId |
The ID used to link the activity database to the QAMNode table. (AuditNodeId in QAMNode table.) |
| ResourceId |
The ID assigned to the operation that was performed. |
| ParentResourceId |
Shows which resource in the activity database is the parent. |
| ResourcePath |
The path of the resource. |
| ResourceName |
The name of resource. |
| Resource |
The type of resource. |
| Operation |
The operation that was performed. |
| AccessCount |
The number of times the operation occurred during the aggregation interval. |
| StartTime |
The start date and time for collecting resource activity. Activity is stored in 'time spans'. |
| EndTime |
The end date and time for collecting resource activity. Activity is stored in 'time spans'. |
| TrusteeType |
The type of account that initiated the operation. |
| TrusteeName |
The name of the account that initiated the operation. |
| TrusteeSid |
The security identifier (SID) assigned to the account that initiated the operation, |
| AuditTrusteeId |
The ID associated with the account that performed the operation. (UID_QAMTrustee in QAMTrustee table.) |
Get-QResourceSecurity
Returns the security descriptor for a given resource in the SSDL format.
Syntax:
Get-QResourceSecurity [-ResourceUri] <String> [-ResType] <String> [-DomainDNSName] <String> [[-NoSACL] [<SwitchParameter>]] [[-NoDACL] [<SwitchParameter>]] [[-NoOwner] [<SwitchParameter>]] [[-NoGroup] [<SwitchParameter>]] [<CommonParameters>]
Table 229: Parameters
| ResourceUri |
Specify the path to the resource for which you want the security descriptor. |
| ResType |
Specify the type of resource in question:
- adminrights
- localosrights
- files
- folders
- shares
|
| DomainDNSName |
Specify the DNS domain name of the domain where the managed host with the resource in question resides. |
| NoSACL |
(Optional) Specify this parameter if you do not want to return the SACL information in the SDDL.
If this parameter is not specified, the SACL information will be included. |
| NoDACL |
(Optional) Specify this parameter if you do not want to return the DACL information in the SDDL.
If this parameter is not specified, the DACL information will be included. |
| NoOwner |
(Optional) specify this parameter if you do not want to return the Owner information in the SDDL.
If this parameter is not specified, the owner information will be included. |
| NoGroup |
(Optional) Specify this parameter if you do not want to return the group information in the SDDL.
If this parameter is not specified, the group information will be included. |
Examples:
Table 230: Examples
|
Get-QResourceSecurity -ResourceUri "\\QAMAUTOMem1\c$\autoroot\test_folder" -ResType Folders -DomainDNSName QAMAUTO.QC.HAL.CA.QSFT |
Returns the security descriptor for the specified resource on QAMAUTOMem1 in the specified domain. |
Set-QResourceSecurity
Sets or updates the security on a given resource to the specified security descriptor.
Note: The existing security descriptor is completely replaced.
Syntax:
Set-QResourceSecurity [-SDDL] <String> [-ResourceUri] <String> [-ResType] <String> [-DomainDNSName] <String> [-HostDownLevelName] <String> [<CommonParameters>]
Table 231: Parameters
| SDDL |
Specify the security descriptor (SDDL format) to be set. |
| ResourceUri |
Specify the path to the resource that you want to set the security for. |
| ResType |
Specify the resource type of the resource to have its security descriptor set. Valid values are:
- adminrights
- localosrights
- files
- folders
- shares
|
| DomainDNSName |
Specify the DNS name of the resource's domain. |
| HostDownLevelName |
Specify the downlevel name of the host where the resource resides. |
Examples:
Table 232: Examples
|
Set-QResourceSecurity -SDDL "O:BAG:DUD:AI(A;;FA;;;BA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO) (A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)S:PAI" -ResourceUri "\\QAMAUTOMem1\c$\autoroot\test_folder" -ResType Folders -DomainDNSName QAMAUTO.QC.HAL.CA.QSFT -HostDownLevelName QAMAUTOMem1 |
Sets the security on the specified resource to the specified SDDL on the computer qamautomem1 in the domain qamauto.qc.hal.ca.qsft. |
Governed data management
Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.
The following commands are available to you to manage governed data. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.
Table 233: Governed data management commands
|
Get-QDataUnderGovernance |
View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop.
For more information, see Get-QDataUnderGovernance. |
|
Get-QPerceivedOwnerPoI |
View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment.
For more information, see Get-QPerceivedOwnerPol. |
|
Get-QSelfServiceClientConfiguration |
View the options that are available for self-service requests within the IT Shop.
For more information, see Get-QSelfServiceClientConfiguration. |
|
Get-QSelfServiceMethodsToSatisfyRequest |
View the group membership that is required to satisfy an access request.
When employees request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that employee could be added to fulfill their request.
For more information, see Get-QSelfServiceMethodsToSatisfyRequest.
NOTE: This PowerShell cmdlet does not support NFS or Cloud resources (since these types of resources cannot be published to the IT Shop). |
|
Remove-QDataUnderGovernance |
Remove data from governance.
NOTE: Removing a resource from governance, also removes it from the IT Shop.
For more information, see Remove-QDataUnderGovernance. |
|
Set-QBusinessOwner |
Set the business owner on a governed resource to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.
For more information, see Set-QBusinessOwner. |
|
Set-QDataUnderGovernance |
Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.
You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.
For more information, see Set-QDataUnderGovernance. |
|
Set-QSelfServiceClientConfiguration |
Set the options that are available for self-service requests within the IT Shop.
For more information, see Set-QSelfServiceClientConfiguration. |
|
Trigger-QDataUnderGovernanceCollection |
Trigger data collection for governed resources for a given managed host.
For more information, see Trigger-QDataUnderGovernanceCollection. |
|
Upgrade-QDataUnderGovernanceRecords |
Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.
NOTE: This is a requirement for upgrading to version 6.1.2 or 6.1.3.
For more information, see Upgrade-QDataUnderGovernanceRecords. |
