지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Data Governance agent

The Data Governance agent refers to the server hosting a local or remote Data Governance Edition agent.

This server must meet the following minimum system requirements.

Table 7: Minimum system requirements: Data Governance agent
Processor 500MHz+
Memory 1024MB RAM
Free disk space

20 GB

NOTE: The agent will use the required CPU, memory and disk space to perform scans, data synchronizations, queries and activity reporting. Unexpected behavior will occur if any of these resources are depleted.
Operating system

Windows operating systems:

  • Windows Server 2008
  • Windows Server 2008 (R2) (32-bit or non-Itanium 64-bit)
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

NOTE: New Dynamic Access Control (DAC) features are not supported.

NOTE: When an agent is installed on Windows Server 2012/2012 R2, disable the following local policy: "User Account Control: run all Administrators in Admin Approval Mode".

NOTE: The following certificate must be installed as a Trusted Root Certification Authority on the target agent host computer: VeriSign Class 3 Public Primary Certification Authority — G5.cer.
Software

.NET Framework 4.5 or later

.NET Framework 3.5.1 (SharePoint 2010 agents)

NOTE: SharePoint 2010 agents require .NET Framework 3.5.1; all other Windows Servers and SharePoint 2013 farms hosting an agent require .NET Framework 4.5 or later.

Resource Activity database server

The Resource Activity Database server refers to the server hosting the Data Governance Edition Resource Activity database.

Note: You can use your pre-existing One Identity Manager database server to host the resource activity database.

This server must meet the following system requirements.

Table 8: Minimum system requirements: Resource Activity Database server
Processor quad core CPU
Memory 16GB RAM
Free disk space 100GB

Supported target systems

The following systems are supported to be scanned.

Table 9: Supported target systems
Target Version Additional notes

Windows Server

The following Windows Server versions are supported for scanning (local or remote managed hosts):

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Resource activity collection is not supported for remotely managed Windows Server hosts.

Windows Cluster

The following failover clusters are supported for scanning (remote managed host):

  • Windows 2008
  • Windows 2008 (R2)
  • Windows 2012
  • Windows 2012 (R2)
  • Windows 2016

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Resource activity collection is not supported for Windows clusters.

NetApp CIFS Devices

The following NetApp filer versions (with CIFS file system protocol enabled) are supported for scanning (remote managed host):

  • NetApp ONTAP 7.3
  • NetApp ONTAP 8.0
  • NetApp ONTAP 8.1
  • NetApp ONTAP 8.2
  • NetApp ONTAP 8.3
  • NetApp ONTAP 9.0 RC1
  • NetApp ONTAP 9.1
  • NetApp ONTAP 9.2
  • NetApp ONTAP 9.3

NOTE: Both NetApp 7-Mode and Cluster Mode are supported.

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Real-time security updates and resource activity collection are not supported on versions of NetApp ONTAP filers earlier than 7.3.

NetApp storage devices require additional configuration. See Appendix: NetApp managed host deployment prior to adding a NetApp managed host.

NetApp NFS Devices

The following NetApp filer versions (with NFS file system protocol enabled) are supported for scanning (remote managed host):

  • NetApp ONTAP 7.3
  • NetApp OnTAP 8.0
  • NetApp ONTAP 8.1
  • NetApp ONTAP 8.2
  • NetApp ONTAP 8.3
  • NetApp ONTAP 9.0 RC1
  • NetApp ONTAP 9.1
  • NetApp ONTAP 9.2
  • NetApp ONTAP 9.3

NOTE: Both NetApp 7-Mode and Cluster Mode are supported.

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process.

For NetApp 7-Mode managed hosts, real-time security updates and resource activity collection require FPolicy; and in order to use FPolicy, CIFS must be installed and running.

NetApp storage devices require additional configuration. See Appendix: NetApp managed host deployment prior to adding a NetApp managed host.

EMC CIFS Devices

The following EMC devices are supported for scanning (remote managed host):

  • EMC Celerra
  • EMC VNX
  • EMC Isilon

The following EMC Framework versions (with CIFS file system protocol enabled) are supported:

  • Common Event Enabler (CEE) 7.1 (or higher)

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

VNXe is not supported. VNXe does not support CEPA currently and therefore Data Governance Edition will not run successfully in VNXe environments.

EMC storage devices require additional configuration. See Appendix: EMC managed host deploymentprior to adding an EMC managed host.

EMC Isilon NFS Devices

The following EMC Isilon devices (with NFS file system protocol enabled) are supported for scanning (remote managed host):

  • EMC Isilon 7.2
  • EMC Isilon 8.0

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process.

Resource activity collection is not supported for EMC Isilon NFS managed hosts.

EMC storage devices require additional configuration. See Appendix: EMC managed host deployment prior to adding an EMC managed host.

SharePoint

The following SharePoint versions are supported for scanning (local managed host):

  • SharePoint Server 2010
  • SharePoint Server 2013
  • SharePoint Server 2016

100GB disk space on the SharePoint agent computer for data storage and scan post-processing activities.

NOTE: The space required depends the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.

8GB RAM for the SharePoint agent computer.

Agent is installed where the One Identity Manager service (job server) is running for the SharePoint farm.

We recommend installing the One Identity Manager service on a dedicated SharePoint Application Server in the farm and not on a Web Front server which prevents extra load processing on that server.

Standalone farms are not supported.

Farms configured with only Local Users and Groups are not supported.

Cloud

The following cloud providers running on Office 365 are supported for scanning (remote managed host):

  • SharePoint Online
  • OneDrive for Business

Resource activity collection is not supported for Cloud managed hosts.

OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

DFS Root

Windows 2008 Active Directory DFS and higher

 

Data Governance Edition minimum permissions

The following table contains the permissions required to properly deploy Data Governance Edition.

Table 10: Required minimum permissions
Account Permission

System user (Active Directory account logged on to the computer)

AND

Manager user (Active Directory account running the Manager)

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators application role or the Data Governance | Access Managers application role.

NOTE: If the System user does not have the appropriate roles assigned, you will see the Data Governance Edition features in the Manager, but will encounter errors when attempting to perform Data Governance Edition-related tasks. If the Manager user does not have the appropriate roles assigned, you will not see the Data Governance Edition features in the Manager.

Service account assigned to a managed domain

Log On as a Service local user rights on the Data Governance server.

Local Administrator rights on Data Governance agent computers.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), additional rights are required. For more information, see Service Account is not a member of the Domain Users group.

SQL service account for connection with the Data Governance Resource Activity database

dbcreator server role is required to create the database during initial configuration of Data Governance Edition

db_owner role is required to work with the database

SQL service account for connection with One Identity Manager database

db_owner role for One Identity Manager database

Service account for an agent on Local Windows managed hosts

The agent runs under the Local System account. No additional rights are required.

Service account for an agent managing remote Windows managed hosts

Local Administrator rights on the managed host.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing SharePoint farms

Must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). This account also needs to be a member of the administrators group on the SharePoint server.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing NetApp filers

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must be a member of the local Administrators group on the NetApp filer in order to create FPolicy.

Must have permissions to access folders being scanned.

Service account for an agent managing EMC Isilon storage devices

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must have "run as root" permissions on the Isilon SMB share that has been selected as a managed path.

One Identity Manager service (job server) account used for scheduling Data Governance Edition reports

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators application role or the Data Governance | Access Managers application role.

Active Directory account used by the AppServer to establish communication between the Data Governance server and the Manager

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators and the Data Governance | Access Managers application roles.

NOTE: This account must be added as the AppServer pool identity in Internet Information Services (IIS) Manager. If the AppServer application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.
관련 문서