Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Getting server logs

From the Managed hosts view in the Manager you can export the server logs to a location of your choosing. The log files are exported through a background operation and will exist once the background operation has completed. The export operation can be viewed in the Background operations view.

NOTE: Server logs retrieved using the Get All Logs task consist of the DataGovernanceEdition.Service.exe.dlog file and associated agent deployment logs.

To get server logs

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select Get All Logs from the Tasks view or right-click menu.
  3. In the Browse for folder dialog, select the location where the exported logs are to be stored.

    A compressed zip file is created in the specified location. Clicking this zip file displays the Data Governance service log and an Agent Deployment Logs folder, which contains a log file for each agent deployed.

  4. Double-click the Data Governance service .dlog file to display the log viewer to view the service's log.
  5. Double-click an agent deployment log file to open Notepad to view the agent's deployment log.

Job queue shows that database needs to be compiled

On a new install or upgrade, upon Data Governance server startup, the job queue is placed on hold indicating that the database needs to be compiled.

Probable cause

The \TargetSystem\UNS\CreateNewRoot configuration setting must be enabled in order for a Data Governance Edition install to proceed successfully. If Data Governance Edition finds this setting to be disabled, it will mark it enabled; but the job queue will be placed on hold with a 'waiting for database compile' message.

As of Data Governance Edition 7.1, this configuration setting has been incorporated into the Settings.xml file. This Settings.xml file is distributed with One Identity Manager Data Governance Edition version 7.1 and when it is found to be enabled, the database compile step will proceed as excepted as part of the installation process.

Resolution

Locate the Settings.xml file (C:\<Identity Manager Build>\Setup\Editions\DGE\settings.xml) and ensure the following SQL command is present:

<Command Type="Sql">

     update DialogConfigParm

     set Enabled = 1

     where FullPath = 'TargetSystem\UNS\CreateNewRoot'

  </Command>

If it is not present, append this SQL command to the Settings.xml and run the DBCompiler.exe to remove the job queue hold. There should be no need to run the DBCompiler.exe on the next Data Governance Edition upgrade release.

If it is present, but set to disabled, run the DBCompiler.exe to remove the job queue hold.

Receiving unauthorized access violations

Probable cause

The employee is not configured properly.

Communication with the Data Governance server uses Windows Integrated authentication. Regardless of how you logged in to any client application ("viadmin"), calls to the Data Governance server are authenticated by looking at your interactive Windows login identity and finding an associated Employee record. The server validates the permissions and roles assigned to this Employee record, not the login that you used when connecting to the client application.

Cannot save the service account

Probable cause

You may receive one of the following errors: “Not Authorized to Use this Database” or "Access was denied while attempting to perform the requested operation" if you are logged in to the machine with an Active Directory account that does not have an associated employee and appropriate roles to view and manage hosts. This account is used to contact the Data Governance server.

NOTE: Both the System user (account logged on to the machine) and the Manager user (account running the Manager) must have an associated One Identity Manager Employee and must be assigned the appropriate Data Governance application roles.
Resolution

To associate an account with an employee

  1. In the navigation view, select Active Directory (ADS button at bottom of navigation view).
  2. Select User accounts, and select the account that you are currently logged in to the machine as.
  3. In the Tasks view, select Change master data.
  4. On the General tab, select an employee to associate with the account.

    Note: Typically an Active Directory synchronization creates an employee for every Active Directory account and this association is already done.

The following application roles are specifically for Data Governance Edition. They are used with One Identity Manager application roles.

  • Data Governance | Access Managers

    Members of this role can access all information related to Data Governance Edition, and can query information from Data Governance agents. Also, they can modify the security of objects contained on managed hosts.

  • Data Governance | Administrators

    Members of this role can perform all administrative tasks necessary for the management of Data Governance Edition. This includes deploying and configuring managed hosts, managing data access, editing security, and placing data under governance.

  • Data Governance | Business Owner

    Members of this role can view information on resources they own.

  • Data Governance | Direct Owners

    This role is held by accounts and roles marked as the owners of resources within Data Governance Edition.

    Note: This role cannot be assigned manually; it is assigned programmatically.

  • Data Governance | Managed Resources

    A default container used for roles automatically generated by Data Governance Edition managed resources. For more information on managed resources, see the One Identity Manager Data Governance Edition IT Shop Resource Access Requests User Guide.

  • Data Governance | Operators

    Members of this role have read-only access to the Managed hosts view and Agents view in the Manager.

  • Identity & Access Governance | Compliance & Security Officer

    Members of this role have a view into all security-related information collected by Data Governance Edition. They are responsible for ensuring security-related compliance regulations are being followed correctly.

To assign application roles

  1. In the navigation view, select Employees | Employees.
  2. In the Employees result list, double-click the required employee.
  3. In the Task view, select Assign One Identity Manager application roles.
  4. Apply the required application role, and save your changes. For example:
    1. Expand Data Governance in the Add assignments window to view the application roles available.
    2. Double-click Administrators to assign the Data Governance | Administrators role to the selected user account.
    3. Click the Save toolbar button.
  5. Restart the Data Governance service to renew the authentication cache. The cache is renewed automatically if you are not using the Manager for 5 minutes.
관련 문서