Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Appendix: NetApp managed host deployment

Data Governance Edition uses the NetApp Data ONTAP file screening policy (FPolicy) to track activities on the filer. This policy allows third-party file screening software to interact with the NetApp filer.

Understanding the following aspects of the deployment process are key to ensuring a successful deployment of NetApp managed hosts:

Permissions required to access NetApp filer

The service account for the remote agent responsible for scanning the NetApp filer must meet the following minimum permissions:

  • Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)
  • Must be a member of the local Administrators group on the NetApp filer.
  • Must have permissions to access the folders being scanned.

Data Governance agent deployment

NetApp filers are added to a Data Governance Edition deployment as managed hosts with remote agents. When selecting an agent for scanning a NetApp filer, take the following into consideration:

  • The remote agent must be hosted on a machine in the same domain as the NetApp filer device.

    Note: If you host a remote agent in an external domain to monitor a filer, the agent will NOT record the resource activity data.

  • There should be a good network connection between the NetApp filer and the monitoring agent servers.
  • The machine hosting the agent for NetApp can host agents for other servers, but those servers should be close to the agent host.
  • If the NetApp is split up into multiple domains, you must deploy one or more agents for each domain.

FPolicy deployment

FPolicy is required for Data Governance Edition to capture real-time security updates and to collect resource activity. In order to use FPolicy on NetApp 7-Mode managed hosts, CIFS file system protocol must be enabled.

When adding a NetApp 7-Mode managed host, you can use one of the following for FPolicy deployment:

  • automatic FPolicy deployment
  • use a pre-created FPolicy

However, for NetApp Cluster Mode managed hosts, FPolicy deployment is always automatic.

Using automatic FPolicy deployment for NetApp 7-Mode

When you add a NetApp managed host, an FPolicy is created if either of the following managed host settings are enabled:

  • Collect activity for real-time security updates on the Security Scanning page
  • Collect and aggregate events on the Resource Activity page

When you deploy an agent, an empty FPolicy (with no monitored operations) is created by the Data Governance server (performed as the service account for the domain). When the agent starts, it registers with the FPolicy as an FPolicy Server. At the point of registration, the agent will register the operations it will monitor.

Note: If another agent is added to the managed host to index a separate root on the NetApp device, a new FPolicy will be created (named after the new agent ID).

The FPolicy:

  • is created using the credentials of the domain service account.
  • is named after the agent ID (that is, DGE_ <DeploymentName>_<FQDN of managed host>).
  • is configured to use the version 2 interface.
  • includes cifs_set_attr information, which allows Data Governance Edition to receive notification of security changes.
  • sets the cifs_setattr option to on (defaults to off in FPolicy).
  • is asynchronous.

Note: To view all the existing FPolicies on a NetApp device, establish a Telnet or SSH connection to the filer device, log in and type the following at the OnTap command line: “fpolicy”.

Note: When you remove an agent, the FPolicy is deleted.

Using a pre-created FPolicy on a NetApp 7-Mode filer

Data Governance Edition can be configured to connect to a pre-created FPolicy. The following steps are required to configure Data Governance Edition to use a manually created FPolicy instead of automatic deployment:

  • Enable CIFS FPolicy on NetApp filer
  • Create FPolicy on the filer
  • Configure the Data Governance server and agent

To enable CIFS FPolicy on a NetApp filer

  • Run options FPolicy.enable on

To create FPolicy on the filer

  • fpolicy create <PolicyName> Screen
  • fpolicy enable <PolicyName>

To configure the Data Governance server and agent

  1. Configure the Data Governance server to prevent the creation of FPolicy on the required NetApp filer:

    1. Create the following registry key: “HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server\ManualFPolicyCreation”.
    2. Add a string value with the fully qualified domain name of the NetApp filer.
  2. In the Manager, deploy a NetApp managed host.

    Note: Ensure that the registry key has been created on the server before deploying the agent.

  3. Configure the NetApp agent to use the manually pre-created FPolicy.
    1. Stop the agent service.
    2. Locate the following configuration setting in the %Program Files%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DataGovernance.Agent.exe.config file.

      <"Agent">

        <"Services">

          <"ChangeMonitoring">

            <Setting name="OverrideFPolicyName">

    3. Add a string value with the FPolicy name you want the specified agent to register with.
    4. Save the configuration file.
    5. Restart the agent.

FPolicy deployment for NetApp Cluster Mode

FPolicy deployment for NetApp Cluster Mode is always automatic and is done by the agent at run time because of the use of dynamic ports. The FPolicy will be deleted when the agent stops. You cannot specify a pre-created FPolicy.

관련 문서