Identity Manager Data Governance Edition 9.1

The following systems are supported to be scanned.

Table 26: Supported target systems
Target	Version	Additional notes
Windows Server	The following Windows Server versions are supported for scanning (local or remote managed hosts): Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	Resource activity collection is not supported for remotely managed Windows Server hosts.
Windows Cluster	The following failover clusters are supported for scanning (remote managed host): Windows 2012 Windows 2012 (R2) Windows 2016 Windows 2019 NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	Resource activity collection is not supported for Windows clusters.
NetApp CIFS Devices	The following NetApp filer versions (with CIFS file system protocol enabled) are supported for scanning (remote managed host): NetApp ONTAP 7.3 NetApp ONTAP 8.0 NetApp ONTAP 8.1 NetApp ONTAP 8.2 NetApp ONTAP 8.3 NetApp ONTAP 9.0 RC1 NetApp ONTAP 9.1 NetApp ONTAP 9.2 NetApp ONTAP 9.3 NetApp ONTAP 9.4 NetApp ONTAP 9.5 NetApp ONTAP 9.6 NetApp ONTAP 9.7 NetApp ONTAP 9.8 NetApp ONTAP 9.9 Both NetApp 7-Mode and Cluster Mode are supported. NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	Real-time security updates and resource activity collection are not supported on versions of NetApp ONTAP filers earlier than 7.3. NetApp storage devices require additional configuration.
NetApp NFS Devices	The following NetApp filer versions (with NFS file system protocol enabled) are supported for scanning (remote managed host): NetApp ONTAP 7.3 NetApp OnTAP 8.0 NetApp ONTAP 8.1 NetApp ONTAP 8.2 NetApp ONTAP 8.3 NetApp ONTAP 9.0 RC1 NetApp ONTAP 9.1 NetApp ONTAP 9.2 NetApp ONTAP 9.3 NetApp ONTAP 9.4 NetApp ONTAP 9.5 NetApp ONTAP 9.6 NetApp ONTAP 9.7 NetApp ONTAP 9.8 NetApp ONTAP 9.9 Both NetApp 7-Mode and Cluster Mode are supported. NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process. For NetApp 7-Mode managed hosts, real-time security updates and resource activity collection require FPolicy; and in order to use FPolicy, CIFS must be installed and running. NetApp storage devices require additional configuration.
EMC CIFS Devices	The following EMC devices are supported for scanning (remote managed host): EMC Celerra EMC VNX EMC Isilon The following EMC Framework versions (with CIFS file system protocol enabled) are supported: Common Event Enabler (CEE) 7.1 (or higher) NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	VNXe is not supported. VNXe does not support CEPA currently and therefore Data Governance Edition will not run successfully in VNXe environments. EMC storage devices require additional configuration. See Appendix: EMC managed host deployment prior to adding an EMC managed host. Common Event Enabler (CEE) version 8.7.8.1 or higher are not yet supported.
EMC Isilon NFS Devices	The following EMC Isilon devices (with NFS file system protocol enabled) are supported for scanning (remote managed host): EMC Isilon 7.2 EMC Isilon 8.0 EMC Isilon OneFS 8.1.2 EMC Isilon OneFS 8.2 EMC Isilon OneFS 8.2.1 EMC Isilon OneFS 8.2.2 EMC Isilon OneFS 9.0 EMC Isilon OneFS 9.1 NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.	NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process. Resource activity collection is not supported for EMC Isilon NFS managed hosts. EMC storage devices require additional configuration.
SharePoint	The following SharePoint versions are supported for scanning (local managed host): SharePoint Server 2010 SharePoint Server 2013 SharePoint Server 2016 SharePoint Server 2019 100GB disk space on the SharePoint agent computer for data storage and scan post-processing activities. NOTE: The space required depends the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm. 8GB RAM for the SharePoint agent computer.	Agent is installed where the One Identity Manager service (job server) is running for the SharePoint farm. We recommend installing the One Identity Manager service on a dedicated SharePoint Application Server in the farm and not on a Web Front server which prevents extra load processing on that server. Standalone farms are not supported. Farms configured with only Local Users and Groups are not supported.
Cloud	The following cloud providers running on Office 365 are supported for scanning (remote managed host): SharePoint Online OneDrive for Business	Resource activity collection is not supported for Cloud managed hosts. OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.
DFS Root	Windows 2012 Active Directory DFS and higher

Data Governance Edition minimum permissions

The following table contains the permissions required to properly deploy Data Governance Edition.

Table 27: Required minimum permissions
Account	Permission
System user (Active Directory account logged on to the computer) AND Manager user (Active Directory account running the Manager)	Must have an associated One Identity Manager Employee. Employee must be assigned the Data Governance \| Administrators application role or the Data Governance \| Access Managers application role. NOTE: If the System user does not have the appropriate roles assigned, you will see the Data Governance Edition features in the Manager, but will encounter errors when attempting to perform Data Governance Edition-related tasks. If the Manager user does not have the appropriate roles assigned, you will not see the Data Governance Edition features in the Manager.
Service account assigned to a managed domain	Log On as a Service local user rights on the Data Governance server. Local Administrator rights on Data Governance agent computers. NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted. If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), additional rights are required.
SQL service account for connection with the Data Governance Resource Activity database	dbcreator server role is required to create the database during initial configuration of Data Governance Edition db_owner role is required to work with the database
SQL service account for connection with One Identity Manager database	db_owner role for One Identity Manager database
Service account for an agent on Local Windows managed hosts	The agent runs under the Local System account. No additional rights are required.
Service account for an agent managing remote Windows managed hosts	Local Administrator rights on the managed host. NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted. Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)
Service account for an agent managing SharePoint farms	Must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). This account also needs to be a member of the administrators group on the SharePoint server. Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)
Service account for an agent managing NetApp filers	Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.) Must be a member of the local Administrators group on the NetApp filer in order to create FPolicy. Must have permissions to access folders being scanned.
Service account for an agent managing EMC Isilon storage devices	Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.) Must have "run as root" permissions on the Isilon SMB share that has been selected as a managed path.
One Identity Manager service (job server) account used for scheduling Data Governance Edition reports	Must have an associated One Identity Manager Employee. Employee must be assigned the Data Governance \| Administrators application role or the Data Governance \| Access Managers application role.
Active Directory account used by the AppServer to establish communication between the Data Governance server and the Manager	Must have an associated One Identity Manager Employee. Employee must be assigned the Data Governance \| Administrators and the Data Governance \| Access Managers application roles. NOTE: This account must be added as the AppServer pool identity in Internet Information Services (IIS) Manager. If the AppServer application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.

Data Governance Edition required ports

Note: For agent deployments, open the following file and printer sharing ports:

TCP 135
UDP 137
UDP 138
TCP 139
TCP 445

Table 28: Ports required for communication
Port	Direction	Description
8721	Incoming	TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell.
8722	Incoming	TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell. NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents. IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter.
8723	Incoming	HTTP port used for communication with the One Identity Manager web server (/landing and /home pages).
18530 - 18630	Incoming	TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled.

Identity Manager Data Governance Edition 9.1 - Release Notes

Supported target systems

Data Governance Edition minimum permissions

Data Governance Edition required ports

Product licensing

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager Data Governance Edition 9.1 - Release Notes

Supported target systems

Data Governance Edition minimum permissions

Data Governance Edition required ports

Product licensing