Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Agent deployment pre-flight check

Prior to deploying Data Governance agents:

  • Ensure agents meet minimum hardware and software requirements. For more information, see Data Governance Edition system requirements.
  • Ensure appropriate ports are opened on the agent. For more information, see Data Governance Edition required ports.
  • Ensure disk space is sufficient on the drive hosting the agent files.

  • Ensure service account can access admin$ share on the agent.
  • Identify other programs that may impact agent security scanning and security update monitoring.
  • Identify target paths. Refrain from scanning entire file system immediately.
  • Identify peak hours for schedule purposes.
  • Ensure agent can query domain naming context on a domain controller.
  • Ensure agent can connect to http://<server>:8721/Broadway/IndexServerAgentPort.
  • Ensure the trusted root certificates on the agent are up to date.

    Note: The agent requires VeriSign Class 3 Public Primary Certification Authority - G5.cer.

Agent deployment methods

This table lists the methods that can be used to deploy Data Governance agents.

Note: As of Data Governance Edition version 7.0.2, manually deploying agents is NOT allowed. You must use the Manager client to deploy and configure Data Governance agents because you need access to the Data Governance application roles within One Identity Manager.

Table 15: Agent deployment methods
Deployment method Description Notes/Where to find additional information
Manager - single agent deployment

The recommended method for adding a managed host.

  1. Select the host computer from the Managed host view (must have already been synchronized into One Identity Manager).
  2. Select the Manage host task.
  3. In the Managed Host Setting dialog, select the managed host configuration settings.

NOTE: Use the Managed DFS host task to add a Distributed File System (DFS) root managed host.

NOTE: Use the Manage NFS host task to add an NFS managed host for scanning supported NAS devices with NFS file system protocol enabled.

NOTE: Use the Manage Cloud host task to add a SharePoint Online or OneDrive for Business managed host.

For more information on determining the type of agent to be deployed, see Working with managed hosts and agents.

For more information on deploying the different types of managed hosts, see Adding and configuring managed hosts.

For more information about the configuration settings available, see Managed host configuration settings.

Manager - multiple agent deployment

Use to add and configure multiple managed hosts at once.

  1. Select multiple host computers of the same host type from the Managed host view.
  2. Select the Manage multiple hosts task.
  3. Set the appropriate managed host configuration settings that will be applied to all selected hosts.

Not available for adding SharePoint managed hosts.

Does not apply to DFS, NFS, or Cloud host types (you do not select host computers when adding these types of managed hosts).

The server deploys the agents in a staggered manner.

All hosts must be in managed domains.

For more information on adding or configuring managed hosts, see Adding and configuring managed hosts.

Windows PowerShell

Use the following PowerShell cmdlets in the OneIdentity.DataGovernance snap-in to deploy and configure managed hosts:

  • Add-QManagedHostByAccountName: To add a managed host to your deployment and configure its settings.
  • Set-QManagedHostProperties: To change the properties of a managed host.
  • Set-QAgentConfiguration: To set the managed paths to be scanned.

These PowerShell cmdlets do not support adding Cloud managed hosts or setting managed paths for Cloud managed hosts.

For more detailed information on using Windows PowerShell to manage your agent deployment, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Adding and configuring managed hosts

Different types of managed hosts behave differently. The following sections provide the steps to configure each type of managed host.

You can add the following host computers as a managed host to your Data Governance Edition deployment:

Related Topics

Managed host configuration settings

Adding a local managed host (Windows computer)

NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add a local managed host to a Windows computer

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of Windows Computer.
  3. Select Manage host from the Tasks view or right-click menu.

    NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected on the Managed hosts view.
    2. Host Type: Select Local Windows Computer.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  5. By default, local agents scan all local fixed volumes (NTFS devices) on the host computer. To limit the amount of security data being scanned, use the Managed Paths page to specify the root of an NTFS directory to be scanned. Once you configure one or more managed paths, only those paths are scanned.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. In the Managed Paths Picker dialog, select the check box to the left of the directories to be scanned.

      NOTE: For local managed hosts, the Agent Selection field at the bottom of this dialog is pre-populated with the name of the selected target machine.

    4. Click OK.

    For more information, see Managed paths page.

  6. By default, local agents begin scanning immediately once deployed. Use the Security Scanning page to define a different scanning schedule for the agent.

    For example, to delay the scan to run during off peak hours:

    1. Open the Security Scanning page.
    2. Clear the Immediately scan on agent restart or when managed paths change check box.
    3. Use the Scan start time control to specify the desired time to perform the full scan.

      NOTE: The Scan start time is local agent time.

    Review the options at the bottom of the page to determine if the default security scanning behavior needs to be modified:

    • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.
    • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

    For more information, see Security Scanning page.

  7. By default, resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection on the target host.

    IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    To configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:
      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:
      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day
    5. By default, certain well-known system accounts, file extensions and folders are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the accounts and objects to be excluded.

      NOTE: By default, the Data Governance agent excludes the run as account (LOCAL SYSTEM) from activity collection and aggregation.

    For more information, see Resource activity page.

  8. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy a Data Governance Edition agent on the local computer.

By default, the security scan begins immediately upon agent deployment. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to display the Resource browser.

관련 문서