Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Set-QManagedHostProperties

Changes the properties of a managed host.

Syntax:

Set-QManagedHostProperties [-ManagedHostId] <String> [[-Keyword] [<String>]] [[-ResourceActivityEnabled] [<Boolean>]] [[-Granularity] [<Int32>]] [[-ScheduleType] [QAM.Common.Interfaces.ScheduleConfiguration+ScanScheduleTupe>]] [[-ScheduledDays] [<Int32>]] [[-ScheduledTime] [<TimeSpan>]] [[-ScanInterval] [<TimeSpan>]] [[-EnableRemoteFileSystemChangeWatching] [<Boolean>]] [[-PerformImmediateScanOnWatchError] [<Boolean>]] [[-OverrideScanScheduleOnStartup] [<Boolean>]] [[-SupressHostProcess] [<SwitchParameter>]] [-IsManagedResourceHost [<Boolean>]] [<CommonParameters>]

Table 171: Parameters
Parameter Description
ManagedHostId Specify the ID (GUID format) of the managed host whose properties are to be updated.
Keyword (Optional) Specify a keyword which can then be displayed and used to group your managed host on the Managed hosts view in the Manager.
ResourceActivityEnabled

(Optional) Set this flag to enable resource activity collection. For example:

-ResourceActivityEnabled 1

Granularity

(Optional) Specify how often (in minutes) you would like to synchronize and aggregate the data. That is, this is the amount of time the agent is to record new activity before sending results to the Data Governance server. The value entered will be changed to a valid aggregation interval, as follows:

  • Values less than 10 minutes will be set to 5 minutes.
  • Values between 10 minutes and 2 hours will be set to 1 hour.
  • Values between 2 hours and 15 hours will be set to 8 hours.
  • Values greater than 15 hours will be set to 1 day.

NOTE: Identical activity generated during this time will be recorded as one activity.
ScheduleType

Specifies the time and frequency with which the agent scans the target computer. Valid values are:

  • DayOfWeek: Use to specify a daily scan schedule. If you specify this value, you must also specify the ScheduledDays and ScheduledTime parameters.
  • Interval: Use to scan the target computer on an hourly interval instead of a daily schedule. If you specify this value, you must also specify the ScanInterval parameter.

NOTE: This parameter is required for remotely scanned managed hosts.
ScheduledDays

If the ScheduleType is set to "DayOfWeek", specify the days you would like the agent to scan the managed host.

The syntax is DayOne for Sunday, DayTwo for Monday, etc. For example, to set a scan schedule for Monday, Wednesday and Friday, you would specify ScheduledDays DayTwo,DayFour,DaySix.

ScheduledTime

If the ScheduleType is set to "DayOfWeek", specify the time of day when the scan is scheduled to start.

The syntax is, hh:mm:ss. For example, to start a scan at 4 a.m., specify -ScheduledTime 4:00:00; for 6 p.m., specify -ScheduledTime 18:00:00.

ScanInterval

If the ScheduleType is set to "Interval", specify the interval (in hours) at which the agent will scan the managed host.

For example, to scan every 4 hours, specify -ScanInterval 4.

EnableRemoteFileSystemChangeWatching

(Optional) Set this flag to enable change watching for remotely scanned managed hosts. For example:

-EnableRemoteFileSystemChangeWatching 1

PerformImmediateScanOnWatchError

(Optional) Set this flag to perform a full scan when the watcher encounters an error. For example:

-PerformImmediateScanOnWatchError 1

OverrideScanScheduleOnStartup

(Optional) Set this flag for a remote managed host when you want the agent to do a full scan when the agent is started or restarted. For example:

-OverrideScanScheduleOnStartup 1

SupressHostProcess (Optional) Specify this parameter to stop the cmdlet from processing the managed host. That is, you can change a managed host's properties without actually triggering the server to use them right away.
SelectedDataRoots

Specify the managed paths where the agent should start scanning.

A managed path is the root of an NTFS directory tree to be scanned by an agent, or a point in your SharePoint farm hierarchy below which everything is scanned. The agent monitors the specified managed paths for changes to security settings to maintain the security index. In addition, if resource activity collection is enabled, the agent collects resource activity for these same managed paths.

For local managed hosts, all NTFS drives are scanned and monitored by default; However, you can optionally specify the managed paths to be scanned by the agent. When paths are added to this list, only the specified paths are scanned and monitored.

For remote managed hosts, you must specify the paths to be managed in order for scanning to occur. So if you do not specify any managed paths using the parameter, no scanning will occur for the target managed host.

For SharePoint managed hosts, you must specify the paths to be managed in order for scanning to occur. When you select a point in your SharePoint hierarchy as a managed path, new items added below that point are automatically scanned.

IsManagedResourceHost

(Optional) Specify this parameter to change the flag that indicates whether the managed host can be used to host a managed resource (for example, file shares created through the IT Shop self-service request functionality).

Valid values are:

  • $false: Can not be used to host a managed resource (default)
  • $true: Can be used to host a managed resource
Examples:
Table 172: Examples
Example Description
Set-QManagedHostProperties -ManagedHostId 97dbedb3-6b02-4dbf-afe2-70d6bf51185a -ResourceActivityEnabled 1 Enables resource activity tracking on the specified managed host.
Set-QManagedHostProperties -ManagedHostId d589359a-8c51-4de0-8dcf-6b463793b0bf -SelectedDataRoots "\\2K8R2DJSQL\C$\Test Data"

Defines a single data root.

Set-QManagedHostProperties -ManagedHostId 97dbedb3-6b02-4dbf-afe2-70d6bf51185a -IsManagedResourceHost $true

Enables managed resources for the managed host.

Set-QManagedHostUpdated

Informs the Data Governance server that the managed host state should be updated.

Syntax:

Set-QManagedHostUpdated [-ManagedHostId] <String> [<CommonParameters>]

Table 173: Parameters
Parameter Description
ManagedHostId

Specify the ID (GUID format) of the managed host whose state should be updated.

Examples:
Table 174: Examples
Example Description
Set-QManagedHostUpdated -ManagedHostId 6834E1A6-B6C5-4508-867A-1E85B7B81578 Updates the managed host specified by the given managed host id.

Trigger-QDfsSync

By default the Data Governance server synchronizes the DFS structure into the One Identity Manager database every 24 hours. Use this cmdlet to force a DFS synchronization of a DFS managed host, making the DFS path immediately available within the Resource browser.

Syntax:

Trigger-QDfsSync [-ManagedHostId] <String> [<CommonParameters>]

Table 175: Parameters
Parameter Description
ManagedHostId

Specify the ID (GUID format) of the DFS managed host to be synchronized.

NOTE: Run the Get-QManagedHosts cmdlet without any parameters to retrieve a list of available managed hosts and their IDs.

NOTE: To synchronize all DFS managed hosts in your Data Governance Edition deployment, set the -ManagedHostId to All.
Examples:
Table 176: Examples
Example Description
Trigger-QDfsSync -ManagedHostId f9568450-7396-47ed-bfed-e1377946c2af Forces a synchronization of the specified DFS managed host.
Trigger-QDfsSync -ManagedHostId All Forces a synchronization of all DFS managed hosts.

Account access management

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

The following commands are available to you to manage account access. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 177: Account access management commands

Use this command

If you want to

Get-QAccountAccess

View where users and groups have access on a managed host.

For more information, see Get-QAccountAccess.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAccessOnHosts

View the resource access for a given account (Domain\SAMAccountName) across all available hosts.

For more information, see Get-QAccountAccessOnHosts.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountActivity

View the activity associated with a user on a managed host.

For more information, see Get-QAccountActivity.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAliases

View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access.

For more information, see Get-QAccountAliases.

Get-QAccountsForHost

View all account access for a specific managed host.

For more information, see Get-QAccountsForHost.

Get-QADAccount

View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup.

For more information, see Get-QADAccount.

Get-QGroupMembers

View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource.

For more information, see Get-QGroupMembers.

Get-QIndexedTrustees

View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.

For more information, see Get-QIndexedTrustees.

관련 문서