Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.1.4 - Release Notes

Data Governance Edition minimum permissions

The following table contains the permissions required to properly deploy Data Governance Edition.

Table 25: Required minimum permissions
Account Permission

System user (Active Directory account logged on to the computer)

AND

Manager user (Active Directory account running the Manager)

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators application role or the Data Governance | Access Managers application role.

NOTE: If the System user does not have the appropriate roles assigned, you will see the Data Governance Edition features in the Manager, but will encounter errors when attempting to perform Data Governance Edition-related tasks. If the Manager user does not have the appropriate roles assigned, you will not see the Data Governance Edition features in the Manager.

Service account assigned to a managed domain

Log On as a Service local user rights on the Data Governance server.

Local Administrator rights on Data Governance agent computers.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), additional rights are required.

SQL service account for connection with the Data Governance Resource Activity database

dbcreator server role is required to create the database during initial configuration of Data Governance Edition

db_owner role is required to work with the database

SQL service account for connection with One Identity Manager database

db_owner role for One Identity Manager database

Service account for an agent on Local Windows managed hosts

The agent runs under the Local System account. No additional rights are required.

Service account for an agent managing remote Windows managed hosts

Local Administrator rights on the managed host.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing SharePoint farms

Must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). This account also needs to be a member of the administrators group on the SharePoint server.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing NetApp filers

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must be a member of the local Administrators group on the NetApp filer in order to create FPolicy.

Must have permissions to access folders being scanned.

Service account for an agent managing EMC Isilon storage devices

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must have "run as root" permissions on the Isilon SMB share that has been selected as a managed path.

One Identity Manager service (job server) account used for scheduling Data Governance Edition reports

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators application role or the Data Governance | Access Managers application role.

Active Directory account used by the AppServer to establish communication between the Data Governance server and the Manager

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance | Administrators and the Data Governance | Access Managers application roles.

NOTE: This account must be added as the AppServer pool identity in Internet Information Services (IIS) Manager. If the AppServer application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.

Data Governance Edition required ports

Note: For agent deployments, open the following file and printer sharing ports:

  • TCP 135
  • UDP 137
  • UDP 138
  • TCP 139
  • TCP 445
Table 26: Ports required for communication
Port Direction Description

8721

Incoming

TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell.

8722

Incoming

TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.

NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents.

IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter.

8723

Incoming

HTTP port used for communication with the One Identity Manager web server (/landing and /home pages).

18530 - 18630

Incoming

TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled.

Product licensing

Use of this software is governed by the Software Transaction Agreement found at www.oneidentity.com/legal/sta.aspx. This software does not require an activation or license key to operate.

Upgrade and installation instructions

One Identity Manager and Data Governance Edition must be running the same version. Use the installation and configuration wizards to perform a new install or upgrade from a previous version of Data Governance Edition

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating