Chat now with support
지원 담당자와 채팅

Identity Manager Data Governance Edition 8.1.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Agent files

This table lists the files created when a Data Governance agent is deployed. All files associated with each agent instance are located in subdirectories of the agent installation folder.

  • Local agent files are stored in %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_LocalHost

  • Remote agent files are stored in %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_<FQDN of managed host>
  • SharePoint Farm agent files are stored in %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_Sharepoint

    NOTE: For multi-agent SharePoint managed hosts, an number is appended to the end of the directory name.

    Example: DGE_DEFAULT_Sharepoint_1, DGE_DEFAULT_Sharepoint_2, DGE_DEFAULT_Sharepoint_3, and so on.

  • SharePoint Online agent files are stored in %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_SharePointOnline_<Office 365 Host>
  • OneDrive for Business agent files are stored in %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_OneDriveBusiness_<Office 365 Host>
Table 6: Agent files
File name File type Purpose
DataGovernance.Agent.exe.dlog Trace Log Document

Agent log file.

Double-click to display the Log Viewer to view the log.

dlog.config XML document

Configuration settings for the agent log file.

server.config.xml XML document

Current agent configuration settings from the Data Governance server.

This file is an output of the configuration from the Data Governance server. It is overwritten upon each configuration from the server.

NOTE: Do not edit this file.
*.sqlite* SQLite file

SQLite database files are used for temporarily storing resource access, security and if enabled, resource activity:

  • ResourceAccessSync_*: Keeps track of what the agent has already synchronized with the Data Governance server.
  • ResourceActivityStore_*: Stores activity data for various host types.
  • ResourceSecurityStore_*: Stores scan data for various host types: SharePoint, NTFS, NFS and Cloud.
  • ResourceSecurityStore_Service Identities: Stores scan data for service logon accounts for Windows hosts.
  • ResourceSecurityStore_WindowsComputer: Stores shares, local users and groups, and local rights for hosts which have an Active Directory computer object and for SharePoint.

NOTE: All of the *.sqlite* files are maintained by the agent process and are required for proper functionality. Do not attempt to view, edit, rename, move or delete any of these files.

In addition to the above mentioned agent files, the DataGovernance.Agent.exe.config file is stored in the Agent Services directory. This file contains agent configuration settings that cannot be applied using the Manager. Any changes made to this configuration file will apply to all agent instances running on the host. For more information on the agent configuration settings that can be changed, see Data Governance agent configuration file settings

Data Governance agent configuration

Data Governance agent configuration values are stored in one of the following places:

  • Agents receive settings from the Data Governance service, and these settings can be viewed in the server.config.xml file in the agent instance folder under the Agent Services directory in the agent's installation directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\<Agent instance>.

    NOTE: This file is an output of the configuration from the Data Governance server and is overwritten upon each configuration from the server. Do NOT edit this file.
  • All agents on a managed host also contain settings stored in the DataGovernance.Agent.exe.config file in the Agent Services directory in the agent's installation directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services.

    NOTE: The DataGovernance.Agent.exe.config file only contains settings that are NOT available through the Manager. Any changes made to this configuration file will apply to all agent instances running on the host. For more information on the Data Governance agent configuration file settings that can be configured in the DataGovernance.Agent.exe config file, see Configurable configuration file settings.

NOTE: With the new agent architecture implemented in Data Governance Edition version 7.0.2, the DataGovernance.Agent.exe.config file contains a subset of the settings provided in the legacy agent. This is because the Data Governance server configuration is applied BEFORE this file. So this file now only contains settings that are NOT available thorough the Manager to ensure agent defaults are not overridden. Also, the legacy agent registry key settings are no longer available for configuration purposes.

Resource activity collection in Data Governance Edition

Resource activity collection recap:

  • Collecting resource activity is supported for local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts. Resource activity collection is not supported for Windows Cluster/Remote Windows Computer, Generic or Cloud managed hosts.
  • Collects data for resources in the folders that are specified on the Managed Paths page of the Managed Hosts Settings dialog.

  • Collects data on identities, security changes, creates, deletes, renames, writes, and reads on resources.

    Note: Read operations are disabled by default for all managed hosts. To enable read operations on a managed host:

    1. Open the Manager.
    2. In the Navigation view, select Data Governance | Managed hosts.
    3. Select the required managed host from the Managed hosts view.
    4. Select Edit host settings from the Tasks view or right-click menu.
    5. Open the Resource Activity page.
    6. Select the Read check box.
    7. Click OK to save your selections and close the Managed Host Settings dialog.
  • Data Governance Edition is NOT an auditing tool:
    • It captures the account who performed the action.
    • It does NOT capture where the action was generated from (for example, IP Address).
    • It does NOT store the "from" and "to" values; only that a certain action was performed on some resource by someone.
    • It does NOT store the exact times the action was performed.

      Note: Activity is stored in "time spans". Aggregation levels control how much data is stored.

      For example, Bill opens a spreadsheet on a file server at 1:05 pm. He saves it five times in the next 45 minutes and then closes it. The aggregation level for managed host is set to one hour. When the aggregation window closes, there will be three entries sent to the Resource Activity database:

      • One entry for the "open" action
      • One entry for the "save" action (with a count of 5)
      • One entry for the "close" action

      The entries will show that the action occurred between 1:00 pm to 2:00 pm, but there will be no indication of when specifically within that hour the action took place.

  • Resource activity collection and aggregation is disabled by default and can be enabled on a per-managed host basis using the Resource Activity page on the Managed Host Settings dialog.
  • When resource activity collection is enabled, certain well-known system accounts, file extensions, and folders are excluded by default. For each managed hosts, you can modify what is excluded from resource activity collection using the Resource Activity page on the Managed Host Settings dialog.

    Note: The agent will always filter out activity generated by the agent service account regardless if the service account is specified in the Resource Activity Exclusions. This applies to all local and remote managed hosts; however, the agent service account for SharePoint managed hosts are not excluded by default. You will need to add the SharePoint service account manually for SharePoint managed hosts.

  • Aggregated activity data forwarded by the Data Governance agents or harvested from Change Auditor is stored in a central database, Data Governance Resource Activity database. Only the Data Governance service interacts with this database.
  • The Data Governance server periodically retrieves resource activity summary information to calculate perceived ownership suggestions for resources under governance.
  • If you are collecting resource activity, set up a scheduled execution of the activity database compression utility to ensure your Resource Activity database remains manageable. For more information, see Scheduling activity compression and deletion.
  • Reports that use resource activity information include:
    • Resource Activity
    • Account Activity
    • Interesting Resources without an Owner
    • Data Owners vs. Perceived Owners
    • Perceived Owners for Data Under Governance
Related Topics

Resource Activity database maintenance

Verifying resource activity is making it to the Resource Activity database

Resource Activity database maintenance

The Resource Activity database stores resource activity information. To ensure that activity data remains manageable and usable, you need to control the growth of activity in this database. Data Governance Edition provides the following ways to control the size of the Resource Activity database:

관련 문서