지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Deploy Data Governance Edition components

Deployment pre-flight check

Data Governance service deployment methods

Deploying Data Governance service and creating Resource Activity database

Deploying multiple Data Governance services

Updating One Identity Manager to a Data Governance Edition deployment

Deployment pre-flight check

Prior to deploying the Data Governance Edition components, including the Data Governance service and Resource Activity database:

Data Governance service deployment methods

This table lists the methods that can be used to deploy Data Governance Edition components, including the Data Governance service and Resource Activity database.

Table 12: Data Governance service deployment methods
Deployment method Description Notes/Additional information
Data Governance Configuration wizard

The recommended method for deploying the Data Governance service and Data Governance Resource Activity database.

The wizard can be accessed using the following methods:

  • On the last page of the One Identity Manager setup wizard, click the Run button to the left of the Data Governance Configuration option.
  • Select the %ProgramFiles%\One Identity\One Identity Manager\Data Governance Configuration Wizard.exe file. Ensure that you right-click and Run as administrator.

Running the Data Governance Configuration wizard:

  • launches the Data Governance service installer
  • configures the Data Governance service
  • establishes the required connections between the Data Governance service and One Identity Manager
  • initializes the Data Governance Resource Activity database

For more information on using the Data Governance Configuration wizard, see Deploying Data Governance service and creating Resource Activity database.

Windows Installer

Use to manually install the Data Governance service.

Use this method, to install the Data Governance service to a different location other than the default directory.

Once installed, use the following PowerShell cmdlets in the OneIdentity.DataGovernance snap-in to manually configure and initialize the Data Governance Edition components:

  • Set-QServiceConnection: To set the server name and port information used by the Data Governance Edition commands to connect to the Data Governance server.
  • Initialize-QDataGovernanceServer: To establish the database connection between One Identity Manager and Data Governance Edition.
  • Initialize-QDataGovernanceActivity: To initialize the database to store data generated when a managed host has resource activity tracking enabled.

The Data Governance service installer is included in the autorun and can be found in the QAM module's directory. For example, C:\<DGE Build>\Modules\QAM\dvd\DataGovernance_ServerComponentsInstaller_x64.msi.

Only a 64-bit version is available.

For more information on the Windows Installer options available and instructions on manually deploying the Data Governance service, see the One Identity Manager Data Governance Edition Technical Insight Guide.

For more information on using Windows PowerShell to manage your Data Governance Edition deployment, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Deploying Data Governance service and creating Resource Activity database

Using the Data Governance Configuration wizard is the recommended method for deploying and configuring the Data Governance service and creating the Data Governance Resource Activity database.

Important: When you follow the steps outlined in the Deployment overview and run the Data Governance Configuration wizard before you run the One Identity Manager Synchronization Editor, the Data Governance service will perform the following tasks allowing you to add managed hosts and deploy agents:

  • automatically harvest forest topology to populate the appropriate One Identity Manager Active Directory (ADS) components in the Manager with all of the domains and all of the enabled 'server' computer objects, including NetApp and EMC servers.
  • automatically create One Identity Manager Employee records for all members found in each domain's Domain Admins group membership, including linking the Active Directory accounts to the employees and assigning the Data Governance application roles and target system role.
  • automatically create a One Identity Manager Employee record for the current user account that was used to run the configuration wizard, including linking the Active Directory account to the employee and assigning the Data Governance application roles and the target system role in each domain found during the forest topology harvest.

However, if you run the One Identity Manager Synchronization Editor prior to running the Data Governance Configuration wizard, the Data Governance service will NOT perform the automated steps mentioned above. Meaning that you must wait for the Active Directory synchronization process to finish each domain project before you can configure Employee records and assign One Identity Manager application roles, configure Data Governance service accounts and managed domains, and add managed hosts and deploy agents.

Note: The following procedure details installing the Data Governance service to a default location. However, if required, you can install the service to another location by running the Data Governance server msi. For more information, see the One Identity Manager Data Governance Edition Technical Insight Guide.

This should be performed before running the Data Governance Configuration wizard so that it is available for the Connect to the existing Data Governance service option.

To deploy a new Data Governance service and resource activity database

  1. Run the Data Governance Configuration wizard using one of the following methods:

    • If you still have the One Identity Manager Data Governance Edition setup wizard open, click the Run button to the left of the Data Governance Configuration option on the last page of the wizard.
    • Otherwise, locate and select the Data Governance Configuration Wizard.exe file, which is located in the %ProgramFiles%\One Identity\One Identity Manager\ directory. Ensure you right-click and select Run as Administrator.
  2. Read the Configuration wizard welcome page and click Next.
  3. On the One Identity Manager database page, specify the information required to connect to the One Identity Manager database.

    1. Server: Select the server where the One Identity Manager database is installed.
    2. Windows authentication: If you selected Windows authentication for the One Identity Manager database, select this check box. If you selected SQL authentication for the One Identity Manager database, make sure this check box is cleared.
    3. User: Enter the user account to be used to access the One Identity Manager database server.
    4. Password: Enter the password associated with the user account.
    5. Database: Select the One Identity Manager database.

    Click Next.

  4. On the Data Governance Edition Configuration page, select Install or Upgrade the Data Governance service and provide the following information:

    1. Server: Enter the fully qualified domain name of the server where the Data Governance service will be installed.
    2. Port: This field displays the net.tcp port opened on the Data Governance server computer. In a new Data Governance Edition deployment, the default net.tcp port is 8722. To change this value, enter the port number to be used to communicate with the Data Governance service.

      NOTE: The HTTP port aligns with the net.tcp port and automatically selects -1 from the port specified here. The HTTP port is used by the Data Governance agents if WCF fails.
    3. Deployment: This field displays the deployment name assigned to the Data Governance Edition deployment. In a new Data Governance Edition deployment, the default deployment name is DEFAULT.

      To change this value, enter the name to be associated with this deployment of Data Governance Edition. The deployment name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

      NOTE: The deployment name is also used in the Data Governance Resource Activity database name (that is, DGE_<DeploymentName>) and that name also has a limit of 30 characters. So, if you specify a 30 character deployment name, the new activity database name will only use <DeploymentName>.

      NOTE: When deploying multiple Data Governance Edition deployments in a forest, specify a different server for the Data Governance service and a unique deployment name for each deployment. For more information, see Deploying multiple Data Governance services.

    Leave the Add the current user to the One Identity Manager Employees with Data Governance application roles check box selected. The Data Governance service automatically assigns the current user account the Data Governance application roles and target system role in each domain found during the forest topology harvest.

    NOTE: The Data Governance service obeys the current One Identity Manager "Edit Configuration Parameters"\TargetSystem\ADS\PersonExcludeList, which by default is:

    ADMINISTRATOR | GUEST | KRBTGT | TSINTERNETUSER | IUSR_.* | IWAM_.* | SUPPORT_.* |.*\$

    This means that ANY Active Directory account sAMAccount name that matches any of the names specified in this exclude list, including 'administrator' will not be added as a One Identity Manager Employee with the assigned Data Governance application roles, even if the current user running the configuration wizard is the administrator account.

    Click Next.

  5. In the Service Account Setting dialog, specify the account to be used to run the Data Governance service.

    1. When SQL authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is cleared on the One Identity Manager database page):

      • The Use LocalSystem account check box is selected by default indicating the local system account will be used to run the Data Governance service.
      • To use a service account other than the local system account, clear the Use LocalSystem account check box and enter the Windows credentials of the service account to be used.

        NOTE: If you specify a service account, you must move the Service Principal Name (SPN) from the computer object. For more information, see Move Service Principal Name in Active Directory.
    2. When Windows authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is selected on the One Identity Manager database page):

      • The Use LocalSystem account check box is disabled and you must enter the Windows credentials of the service account to be used.

    After specifying the account to be used for the Data Governance service, click OK.

  6. Wait for the installation process to complete, click Finish to close the Data Governance server installation dialog.

  7. On the Data Governance activity database server - Create connection page, enter the connection information for the server where the Data Governance Resource Activity database will be created:
    1. Server: Select the server where the Data Governance Resource Activity database is to be created.
    2. Windows Authentication: If you select Windows Authentication for the One Identity Manager database authentication method, enter the Windows credentials for the account that will run the Data Governance service.

      NOTE: If you selected SQL server authentication for the One Identity Manager database authentication method, use SQL authentication here as well. If you selected Windows authentication for the One Identity Manager database authentication method, you can select either SQL authentication or Windows authentication for the resource activity database.
    3. User: Enter the user account to be used to access the Data Governance Resource Activity database server.
    4. Password: Enter the password associated with the user account.

    Click Next.

  8. On the Data Governance activity database server - Database Properties page, click Next to accept the default database name for which the schema for the Data Governance Resource Activity database should be created and to accept the default database options.

    The Database name field is pre-populated with DGE_<DeploymentName>. Where <DeploymentName> is the name assigned to the Data Governance Edition deployment on the previous wizard page. If the total length of the activity database name exceeds 30 characters, then the new default activity database name will only use <DeploymentName>.

    To change the name, enter the new name to be assigned to the database. The database name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

    IMPORTANT: When installing multiple Data Governance Edition deployments in the same forest, ensure that each deployment is connecting to a database with a unique name. Do NOT connect a new deployment to an existing database.
  9. Once the installation and configuration has completed, click Next.
  10. Click Finish to close the Data Governance Configuration wizard.
  11. If applicable, click Finish to close the One Identity Manager setup wizard.

Before you can gather information on the data in your environment, perform the necessary post-installation configuration tasks. For more information, see Post installation configuration.

관련 문서