Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Granting SQL Server permissions

To grant SQL Server permissions

  1. Create a new SQL login or use an existing login. (Open SQL Management Studio, connect to the SQL Server, expand the Security node – Logins, and create a new login or select an existing login.)
  2. Open the login properties, and select the required server role.

    Note: The Public role is selected by default.

  3. Switch to User Mapping and select a database for which the permissions need to be granted and select the required database roles.

Granting Active Directory permissions

Service Account is not a member of the Domain Users group

Domain users can Read All Properties and List Content in domains to which they belong. However, when a user account is used to manage a trusted domain, they must be assigned permissions to List Content and grant properties through ADSIEDIT.msc.

If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), the following additional rights are required in the domain to be managed:

  • List Contents and Read All Properties rights on the managed domain.
  • List Contents and Read All Properties rights on the system container of the managed domain.
  • Read All Properties on the OU containing all domain groups.
  • Service connection point should be created manually.

These rights will function for forest-wide authentication. For selective authentication, the service account must be a member of the domain you want to manage.

To assign “List Contents” and “Read All Properties” rights on the managed domain

  1. Right-click the domain root and select Properties.
  2. Click the Security tab, and click Advanced.
  3. Click Add, select the required account, and assign List Contents and Read All Properties.
  4. Apply it to This object only.

To assign “List Contents” and “Read All Properties” rights on the system container of the managed domain

  1. Right-click the system container and select Properties.
  2. Click the Security tab, and click Advanced.
  3. Click Add, select the required account, and assign List Contents and Read All Properties.
  4. Apply it to This object only.

To assign “Read All Properties” rights to OUs containing all domain groups

  1. Right-click the domain root, select Properties.
  2. Click the Security tab, and click Advanced.
  3. Click Add, select the required account, and assign Read All Properties to all descendant group objects.

To manually create a service connection point

Note: When the Data Governance service starts up, a Service Connection Point (SCP) is automatically created/updated. The Data Governance Configuration wizard specifies the deployment name assigned to a Data Governance Edition deployment and the Data Governance service will install the SCP with that name. "DEFAULT" is the default deployment name.

When an account from a trusted domain is used, use the following PowerShell command to register the SCP:

Register-QServiceConnectionPoint –DomainDNSName <Fully Qualified Domain DNS Name> -DeploymentID <Deployment Name> -ServerDNSName <Fully Qualified DGE Server DNS Name> -ServerNetTcpPortNumber 8722

Note: To find the DeploymentID run the Get-QDeploymentInfo command.

Note: The HTTP port aligns with the net.tcp port; therefore, when you specify the ServerNetTcpPortNumber, the HTTP port automatically selects -1 from the port specified in the ServerNetTcpPortNumber parameter.

If you find it necessary to remove the SCPs from a single Data Governance Edition deployment or all deployments, use the Remove -QServiceConnectionPoint PowerShell command.

Data Governance Edition required ports

Note: For agent deployments, open the following file and printer sharing ports:

  • TCP 135
  • UDP 137
  • UDP 138
  • TCP 139
  • TCP 445
Table 11: Ports required for communication
Port Direction Description

8721

Incoming

TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell.

8722

Incoming

TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.

NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents.

IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter.

8723

Incoming

HTTP port used for communication with the One Identity Manager web server (/landing and /home pages).

18530 - 18630

Incoming

TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled.

Install One Identity Manager Data Governance Edition

A Data Governance Edition deployment relies on a successfully deployed One Identity Manager. The intent of this guide is to focus on the Data Governance Edition components. For complete details on installing and configuring the One Identity Manager components see the One Identity Manager Installation Guide.

NOTE: One Identity Manager Data Governance Edition requires a number of "modules" to be enabled during installation in order to provide the proper connectivity to Active Directory, File System, and SharePoint as well as presenting IT and business functions throughout the product. Installing One Identity Manager Data Governance Edition ensures that you have the required modules available.

If you have NetApp or EMC Isilon storage devices with NFS file system protocol enabled and want to add NFS managed hosts to your Data Governance Edition deployment, you must also install the UNIX module.

Data Governance Edition requires the Azure Active Directory and SharePoint Online modules for scanning folders hosted on SharePoint Online or OneDrive for Business host types.

To install One Identity Manager Data Governance Edition:

  1. Run the Autorun.exe program. Open the Installation page and install One Identity Manager Data Governance Edition.
  2. The One Identity Manager Data Governance Edition setup wizard appears. Click Next to start the installation and follow the prompts on the screens.

    Note: To install the UNIX module required for NFS managed hosts:

    1. On the Installation Settings page of the setup wizard, select the Add more modules to the selected edition check box.
    2. On the Module selection page, select Unix under the Target Systems pane.

    NOTE: To install the Azure Active Directory and SharePoint Online modules required for cloud managed hosts:

    1. On the Installation Settings page of the setup wizard, select the Add more modules to the selected edition check box.
    2. On the Module selection page, select Azure Active Directory and SharePoint Online under the Target Systems pane.
    3. On the Assign Machine Roles page, expand Server | Job Server and select Azure Active Directory and O3S.
  3. Once the installation has successfully completed, use the options on the last page of the setup wizard to run the following configuration programs:
    1. Run the Configuration wizard to create and configure the One Identity Manager database.
    2. Run the Job Service Configuration to configure the One Identity Manager service.

      Once the job service configuration is completed, perform the following steps to ensure that the One Identity Manager service (job server) is successfully configured for use with Data Governance Edition.

      1. Run the Windows Services snap-in and locate the One Identity Manager Service.
        1. Double-click to open the properties dialog.
        2. Open the Log On tab and select the This account option. Enter the user account and credentials to be used for the service.
        3. Click Apply and then click OK to close the properties dialog.
      2. Open the Designer.
        1. In the lower pane of the navigation view, select Base Data.
        2. In the Base Data navigation view, select Installation | Job server.
        3. At the bottom of the right pane, select the Server functions tab. Ensure that the following server functions are checked (Double-click a server function to select it.)

          • Active Directory connector
          • CSV connector
          • Data Governance connector
          • Default report server
          • One Identity Manager connector
          • SharePoint connector
          • SMTP host
          • Unix connector (if scanning NFS managed hosts)

          After ensuring these server functions are selected, click the Commit to database toolbar button.

        4. Select the One Identity Manager Service configuration tab (bottom of the right pane). Ensure the job server configuration file previously created is being used.

          • Click the File open toolbar button.
          • Locate and select the JobService.cfg file and click Open.

          After ensuring the correct job server configuration file is being used, click the Commit to database toolbar button.

      3. Run the Services snap-in and start the One Identity Manager Service.
    3. Run the Data Governance Configuration to deploy the Data Governance server and create the Data Governance Resource Activity database.For more information, see Deploy Data Governance Edition components.

      Note: At this point in the process, you can use the Manager to configure Data Governance service accounts and managed domains, add managed hosts and deploy agents. For more information on service accounts and managed domains. see Authentication using service accounts and managed domains. For more information on managed hosts and agents, see Working with managed hosts and agents.

  4. Back on the Installation page of the Autorun, install the Web based components. For more information, see the One Identity Manager Installation Guide.
  5. To get a complete view of your environment, run the One Identity Manager Synchronization Editor to synchronize your target environments (Active Directory and if applicable, SharePoint, UNIX, Azure Active Directory, and SharePoint Online). For more information, see One Identity Manager - Synchronization projects.
관련 문서