Identity Manager Data Governance Edition 8.2 - Release Notes

If you use the MSIExec.exe command to install the Data Governance server to a non-default location, you will be required to perform future upgrades to the server in the same manner. If the installation path is not specified when the upgrade is performed, the custom installation is removed and the new version is installed to the default location of %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition.

Upgrading the Data Governance server reverts the "run as" of the server service to Local System. The service must be reinstalled running as the previously configured account.

To resolve this issue, when installing the new version of the Data Governance server, leave the installer Retry/Cancel dialog open when prompted, run the Service Control Manager, and switch the account on the Data Governance server from local system back to the original service account. Then click Retry in the installer dialog, and the installation should complete successfully.

The Data Governance Configuration wizard is not detecting the existing Resource Activity database name. If you are not using the default name for your Resource Activity database, on an upgrade you must enter the "custom" database name on the Data Governance activity database page of the Data Governance Configuration wizard.

If a volume is mounted as a drive letter and as a folder path, and changes are made through the folder path - the Activity reports show the drive letter as the path for activity.

The SharePoint system account will be automatically filtered from resource activity.

When you restart a NetApp filer, the Data Governance agents scanning that filer must also be restarted as they do not automatically register the required FPolicy.

EMC VNX activity collection is not supported for devices with multiple CIFS exposed virtual data movers.

EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.

If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition.

The SharePoint account SHAREPOINT\system displays in Account access as NULL SID.

In the Group Memberships tab, the location for SharePoint groups displays the URL instead of the friendly path for the group.

In the Accounts view, renamed SharePoint groups do not show the new name after a rescan.

When creating a new site collection on a farm where the SharePoint Auditing farm solution is enabled, you may see an error indicating that the farm solution is already activated. If this occurs, re-create the site collection.

Exceptions occur during security index scans if web app policy denies rights to a farm account, even if the web app is not a selected security index root.

Once data is placed under governance, a user or group's Limited access permission will be changed to the AllowRead permission.

Retrieval of security for SharePoint hidden lists (such as Converted Forms) through Data Governance Edition may incorrectly list the security for its parent folder regardless of inheritance.

For SharePoint 2010 farms, you may need to wait several minutes during agent install before managed paths can be successfully configured.

For SharePoint 2010, initial scans do not occur as expected if there is a delay in setting dataroots for newly deployed managed hosts.

Workaround: Wait for the scan schedule to lapse or restart the agent.

SharePoint and Windows security scans add nested groups to the security index. The default behavior is to add an entry for every trustee that has been found to be directly ACL'd on a managed host. The SharePoint and Windows security scan behavior does not cause any harm, it is simply inconsistent with the expected behavior.

Running Manage Access on a user/employee with a SharePoint user account type in the Security Index view logs an error: Requested value 'domain\user' was not found.

Workaround: Run another SharePoint synchronization.

Network configuration changes may not be reflected in the agent connection information. If the network configuration of a managed host changes such that outgoing connections become blocked, the agent on that computer may be incorrectly reported as operating in Active mode. Additionally, queries against this agent may not be processed. To resolve this situation, restart the agent to renegotiate the connection.

When deploying remote agents, it is sometimes possible to select roots that the specified service account cannot access. Ensure that the service account being selected for agent deployment can read the target.

Removal of inherited and explicit entries in the security editor should be performed as two separate operations. When removing permissions in the security editor, if both explicit and inherited permissions are present in the selection, you will be prompted to confirm how to remove the inherited permissions. If the Copy from Parent option is selected, the permissions originally selected for removal will not be removed. A subsequent removal of the explicit permissions will properly remove the rights.

Do not manipulate security on the computer's recycle bin as this can cause consistency issues with the content of the recycle bin itself.

Adding machine local objects to a folder ACL on a NetApp filer using the Data Governance security editor is not supported. When navigating to a folder using a share path through the Resource browser or security editor, attempting to add a machine local ACE from the filer on the folder ACL will fail.

Local reads of .txt files using notepad – no read event appears on activity reports. Account Activity and Resource Activity reports include events as they are conveyed by the system where the activity occurred. In some instances, certain applications do not report events as they may be expected by the user. This is the expected behavior of the application and Data Governance Edition, in most cases, is limited by what is reported by the operating system.

If agents are not in an OK or Data available state, data from these agents will not be included in reports.

Cloning an account on a NetApp managed host is not supported.

Adding rights to a folder on a NetApp managed host is not supported.

Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.

Unable to install an agent on a computer running Windows 2008.

To resolve this issue, download and install the VeriSign Class 3 Primary CA -G5 certificate in the local certificate store on the required target computers. The download is available here: https://www.symantec.com/page.jsp?id=roots.

Agents used to scan an EMC or NetApp filer cannot be hosted on Windows Server 2012 or 2012 R2. When the Data Governance server is hosted on Windows 2012/2012 R2, you cannot browse resources or set managed paths for the EMC or NetApp managed host. This is related to a known issue with Windows Server 2012/2012 R2.

Workaround: Use an alternative supported operating system to host the agent to scan the EMC or NetApp filer or set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force

For more details on the known issue, see http://support.microsoft.com/kb/2686098.

Agent cannot access EMC or NetApp shares. After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2 or Windows 8, a "Windows cannot access <machine>" network error appears when attempting to access a share on the NAS device using the file explorer. The root cause is likely due to an incompatibility between your NAS device and SMB 2.0.

Workaround: Upgrade the FLARE code on your NAS device with support for SMB 2.2. If that is not feasible, disable SMB 2 in Windows Server 2012/2012 R2 or Windows 8.

For more details on the known issue and the proper solution, see http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/