Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Add-QManagedHostByAccountName

Registers a computer as a managed host with your Data Governance Edition deployment and configures its settings.

A managed host is any network objects that can host resources and can be assigned an agent to monitor security and collect resource activity. Currently supported hosts include:

  • Local Windows computer
  • Windows Cluster/Remote Windows computer
  • Generic resource (that is, a Server Message Block (SMB) share running on any Active Directory joined computer)
  • Distributed File System (DFS) root
  • SharePoint farm
  • EMC storage device with CIFS file system protocol enabled
  • NetApp 7-Mode filer with CIFS file system protocol enabled
  • NetApp Cluster-Mode filer with CIFS file system protocol enabled
  • EMC Isilon storage device with NFS system protocol enabled
  • NetApp 7-Mode filer with NFS file system protocol enabled
  • NetApp Cluster-Mode filer with NFS file system protocol enabled

Note: This PowerShell cmdlet does not support adding Cloud managed hosts.

Once you have added a managed host, you can begin to manage the data contained within it.

Syntax:

Add-QManagedHostByAccountName [-HostAccountName] <String[]> [[-Keyword] [<String>]] [[-ResourceActivityEnabled] [<SwitchParameter]] [[-Granularity [<Int32>]] [[-ExcludedTrusteesImportFile [<String>]] [[-ExcludedFileTypesImportFile] [<String>]] [[-ExcludedFoldersImportFile] [<String>]] [[-AgentHostName] [<String>]] [[-SelectedDataRoots] [<String>]] [[-ScheduleType] [<QAM.Common.Interfaces.ScheduleConfiguration+ScanScheduleType>]] [[-RunOnDays] [<String>]] [[-ScheduledTime] [<String>]] [[-ScanInterval] [<Int32>]] [[-ServiceAccountId] [<String>]] [[EnableRemoteFileSystemChangeWatching] [<SwitchParameter>]] [[-PerformImmediateScanOnWatchError] [<SwitchParameter.]] [[-OverrideScanScheduleOnStartup] [<Boolean>]] [[-HostType] [<QAM.Common.Interfaces.ManagedHostInfo+HostTypes>]] [-DataRootType [<String>]] [[-IsManagedResourceHost] [<Boolean>]] [[-IgnoreFiles] [<SwitchParameter>]] [<CommonParameters>]

Table 165: Parameters
Parameter Description
HostAccountName

Specify the managed host account name.

Keyword

(Optional) Specify a keyword that can be used to group managed hosts in the Managed host view of the Manager.

ResourceActivityEnabled

(Optional) Specify this parameter to enable resource activity collection.

Resource activity collection is disabled by default. You can, enable it for locally managed Windows servers, SharePoint farms, and supported NetApp and EMC remotely managed hosts. It is used to collect data on identities, reads, writes, creates, deletes, renames and security changes on securable objects. This information is required for several report types, including the Resource Activity report.

Granularity

(Optional) Specify how often (in minutes) you would like to synchronize and aggregate the data. That is, this is the amount of time the agent is to record new activity before sending results to the Data Governance server. The value entered will be changed to a valid aggregation interval, as follows:

  • Values less than 10 minutes will be set to 5 minutes.
  • Values between 10 minutes and 2 hours will be set to 1 hour.
  • Values between 2 hours and 15 hours will be set to 8 hours.
  • Values greater than 15 hours will be set to 1 day.

NOTE: Identical activity generated during this time will be recorded as one activity.

ExcludedTrusteesImportFile

(Optional) Specify the path to a file containing a list of accounts to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

ExcludedFileTypesImportFile

(Optional) Specify the path to a file containing a list of file types to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

ExcludedFoldersImportFile

(Optional) Specify the path to a file containing a list of the folders on the computer (paths) to be excluded from the index scans.

This parameter only applies to managed hosts with resource activity enabled.

AgentHostName For remote managed hosts, provide the name of the computer where the scanning agent will reside.
SelectedDataRoots

Specify one or more NTFS directories (or a point in your SharePoint farm hierarchy) to be scanned by the agent. By default, everything under a selected data roots (paths) is scanned.

For remote managed hosts and SharePoint hosts, define the paths to be scanned.

For local managed hosts, the agent performs a full scan of the computer by default; however, you can optionally specify the paths to be scanned by the agent. Once configured, only those managed paths are scanned.

ScheduleType

Specifies the time and frequency with which the agent scans the target computer. Valid values are:

  • DaysOfWeek: Use to specify a daily scan schedule. If you specify this value, you must also specify the RunOnDays and ScheduledTime parameters.
  • Interval: Use to scan the target computer on an hourly interval instead of a daily schedule. If you specify this value, you must also specify the ScanInterval parameter.
  • RunOnce: Use to scan the target computer only one time.

This parameter is required for remotely scanned managed hosts.

RunOnDays

If the ScheduleType is set to "DaysOfWeek", specify the days you would like the agent to scan the managed host.

The syntax is DayOne for Sunday, DayTwo for Monday, etc. For example, to set a scan schedule for Monday, Wednesday and Friday, you would specify ScheduledDays DayTwo,DayFour,DaySix.

For remote managed hosts, optionally specify this parameter to define the days of the week to be included in the scan schedule.

If this parameter is not specified, all days of the week are included by default.

ScheduledTime

If the ScheduleType is set to "DaysOfWeek", specify the time of day when the scan is scheduled to start.

The syntax is, hh:mm:ss. For example, to start a scan at 4 a.m., specify -ScheduledTime 4:00:00; for 6 p.m., specify -ScheduledTime 18:00:00.

For remote managed hosts, optionally specify this parameter to define the time of day when the scan is scheduled to start.

If this parameter is not specified, the default start time is 2:00:00 AM.

ScanInterval

If the ScheduleType is set to "Interval", specify the interval (in hours) at which the agent will scan the managed host.

For example, to scan every 4 hours, specify -ScanInterval 4.

If this parameter is not specified, the default is 24 hours (or 1 day).

ServiceAccountId

If deploying a remotely managed host, you must supply the GUID of the service account that the agent will use to access the remote managed hosts files.

Run the Get-QServiceAccounts cmdlet to get a list of service accounts registered with Data Governance Edition and their IDs.

EnableRemoteFileSystemChangeWatching

(Optional) Specify this parameter if you want to collect activity for real-time security updates for the scanned managed host.

NOTE: Real-time security updates in the context of Data Governance Edition refers to the monitoring of changes to the file system caused by create, delete, and rename operations, as well as DACL, SACL and Owner changed, in order to maintain the security index. These real-time security updates are not monitored by default.

OverrideScanScheduleOnStartup

(Optional) Set this flag when you want the agent to do a full scan immediately when the agent is added, or perform a rescan when the agent service is restarted.

Valid values are:

  • 1 or $true: Perform scan when agent is started or restarted. (Default for local managed hosts).

    If the parameter is specified without a value, set to $true and perform a full scan when agent is started or restarted.

  • 0 or $false: Do not perform scan when agent is started or restarted. (Default for remote managed hosts.)

    If the parameter is not specified, set to $false and do not perform a full scan when agent is started or restarted.

For example, to override the scan schedule when an agent is started or restarted: -OverrideScanScheduleOnStartup 1

HostType

(Optional) Specify the type of computer the agent will be monitoring. Valid values include:

  • WindowsServer (Default)
  • OnTapDevice
  • CelerraDevice
  • WindowsCluster
  • SharePointFarm
  • GenericHostType
  • DistributedFileSystemRoot
  • IsilonDevice
  • IsilonNfsDevice
  • OnTapNfsDevice
  • OnTapClusterNfsDevice
  • OnTapClusterCifsDevice

If this parameter is not specified, WindowsServer is the default host type.

DataRootType

(Optional) Specify the type of data root. Valid values include:

  • Share
  • Folder

If this parameter is not specified, defaults to Folder.

IsManagedResourceHost

(Optional) Specify this parameter if you want this managed host to be used to host managed resources (for example, file shares created through the IT Shop self-service request functionality).

  • $false: (Default) Can not host a managed resource
  • $true: Can host a managed resource
IgnoreFiles

(Optional) Specify if you want the scanner to include files that have explicit permissions set. If this switch parameter is not present, the managed host scanner will ignore files.

This flag is purely for scanning optimization.

Examples:
Table 166: Examples
Example Description

Add-QManagedHostByAccountName -HostAccountName QAMAUTODC -Keyword QAMAUTO3 -SelectedDataRoot "\\qamautodc\C$\autoroot

Adds a local managed host to the computer "QAMAUTODC", with a keyword of QAMAUTO3. The data root is set to \\qamautocd\C$\autoroot, which means that the agent will only scan this folder and its subfolders on the managed host.

Add-QManagedHostByAccountName -HostAccountNames QAMAUTODC -Keyword QAMAUTO -SelectedDataRoot "\\qamautodc\C$\autoroot" -AgentHostName QAMAUTOMEM1 -ServiceAccountId b0a0e218-55c1-41d7-9585-bf7578ad1130 -ScheduleType Interval -ScanInterval 1 -EnableRemoteFileSystemChangeWatching OverrideScanScheduleOnStartup

Deploys a remotely scanned managed host, with the agent being hosted on "QAMAUTODC", with a keyword of QAMAUTO. The dataroot is set as "\\qamautodc\C$\autoroot", For remote managed hosts, you must also include a service account ID, because these are the credentials that the type is set as Interval and the scan interval is set as 1. Remote file resource activity collection is enabled as is override scan schedule on startup. IncludeFiles switch is not included, so the default applies; the scanner will ignore files.

Add-QManagedHostByAccountName -HostAccountName QAMAUTODC -Keyword QAMAUTO3 -SelectedDataRoot "\\qamautodc\C$\autoroot" -IsManagedResourceHost $true

Adds a local managed host that supports the creation of managed resources.

Add-QManagedHostByAccountName SharePoint_ConfigVmset6 vmset6 -AgentHostName QAM-SP2010-DJ -ServiceAccountId 0ca68d5f-f392-453c-9c50-1784332fe3c7 -ResourceActivityEnabled -Granularity 480 -ScheduleType Interval -ScanInterval 1 -OverrideScanScheduleOnStartup -HostType "SharePointFarm" -SelectedDataRoots "SharePoint_ConfigVmset6/SharePoint - 80/My Wiki/My Wiki/Documents|sp://titan/0ee296d6-dea5-4f4d -950f-27c06458cad1/57947f70-c2b0-4d76-a8b3-ac54fa5bb4ab/15c4fc23-b986-4937-890c-d387125d3114/My%20Wiki/Documents"

Adds a SharePoint managed host with one managed path with resource activity enabled.

Clear-QResourceActivity

Clears the resource activity for a given managed host. This enables you to remove activity data from the Data Governance Resource Activity database on demand when it is no longer required.

Note: Once activity data is cleared from the database, it cannot be recovered.

Syntax:

Clear-QResourceActivity [-ResourceNodeId] <Int32> [<CommonParameters>]

Table 167: Parameters
Parameter Description
ResourceNodeId

Specify the resource node ID of the managed host for which resource activity is to be cleared. This ID is used to link the managed host back to the activity database.

Run the Get-QManagedHosts cmdlet to retrieve a list of managed hosts and associated IDs.

Examples:
Table 168: Examples
Example Description
Clear-QResourceActivity -ResourceNodeId 21 Clears the resource activity from the database for the specified managed host.

Get-QHostsForTrustee

Returns a selected user or group's access on all managed hosts in your environment.

Syntax:

Get-QHostsForTrustee [-TrusteeSid] <String> [-IncludeIndirectAccess] [<SwitchParameter>]] [<CommonParameters>]

Table 169: Parameters
Parameter Description
TrusteeSid Specify the security identifier (SID) of the account (trustee) whose access you are interested in.
IncludeIndirectAccess

(Optional) Specify this parameter if you want to include indirect access in the results.

If this parameter is not specified, the results only includes the managed hosts where the specified account has direct access.

Examples:
Table 170: Examples
Example Description
Get-QHostsForTrustee -TrusteeSid S-1-5-21-3765505745-248418262-535198764-500 Returns a list of the managed hosts where the specified account has direct access.
Details retrieved:
Table 171: Details retrieved
Detail Description
HostName The name of the host to which the account has access.
HostDomainName The full domain name of the domain to which the managed host computer belongs.
ManagedHostId The value (GUID) assigned to the managed host computer.
ResourceType The type of resource to which the account has access.
ViaAccount For indirect access, the name of the account through which access is being granted.

Get-QManagedHosts

Retrieves a list of managed hosts currently registered with the Data Governance server.

Syntax:

Get-QManagedHosts [-HostName [<String>]] [-ManagedHostId [<String>]] [<CommonParameters>]

Table 172: Parameters
Parameter Description
HostName (Optional) Specify the pre-Windows 2000 name for the host to be retrieved.
ManagedHostId

(Optional) Specify the ID (GUID format) of the managed host to be retrieved.

Run this cmdlet without any parameters to retrieve a list of available managed hosts and their IDs.

Examples:
Table 173: Examples
Example Description
Get-QManagedHosts Retrieves a list of all the managed hosts for a given Data Governance Edition deployment.
Get-QManagedHosts -HostName QAMAUTOMEM2 Retrieves the details for the selected managed host.
Details retrieved:
Table 174: Details retrieved
Detail Description (Associated key or property in QAMManagedHosts table)
Agents

The name and ID (GUID) of agents installed on the managed host.

Agents is an array that can be expanded to display the following details about each agent:

  • Id
  • ManagedHostId
  • Management
  • AgentComputer
  • AgentComputerDnsName
  • AgentComputerActiveDirectorySid
  • AgentComputerManagedDomainId
  • AgentDetails
  • UserNotes
  • PublicKey
  • ServiceAccountId
  • IsPrimaryAgent
  • ConfigurationSettings - this is an array that can be expanded to display the individual configuration settings for the agent.
  • ScannerStates
  • LastDugUpdateTimestamp
  • BelongsToAnotherDeployment
ManagedHostId The value (GUID) assigned to the managed host computer (ManagedHostId).
ManagedHostSid The security identifier (SID) assigned to the managed host computer (ManagedHostSid).
ComputerSamSid Deprecated.
ManagedDomainId The value (GUID) assigned to the managed domain in which the managed host belongs (ManagedDomainId).
HostName The name of the host (HostName).
DfsRoot For DFS managed hosts, the value (GUID) assigned to the dfs root to be scanned (DfsRoot).
SamAccountName The login name for the managed host computer (SAMAccountName).
HostDnsName The full DNS name of the managed host computer (HostDnsName).
HostDomainName The full domain name of the domain to which the managed host computer belongs (HostDomainName).
SiteName If available, the name of the site to which the managed host belongs.
HostType

The physical configuration of the host (HostType).

Management

Indicates whether the host is managed by a local or remote agent (Management):

  • Local
  • Remote
Features

The features that a given managed host supports and will allow, such as SecurityIndex and ResourceManagement.

Status The status of the managed host, based on all the agents monitoring the host.
Internal Status The status of the managed host, based on all the agents monitoring the host.
ResourceNodeId

The ID used to link the managed host back to the activity database (ResourceNodeId).

NOTE: The ResourceNodeId is used in the Clear-QResourceActivity cmdlet.

Keywords Optional keywords entered when the managed host was added to Data Governance Edition (Keywords).
HostContainerId Deprecated.
SharePointFarmId For SharePoint managed hosts, the value (GUID) assigned to the SharePoint farm to be scanned (SharePointFarmId).
SharePointFarmObjectGuid For SharePoint managed hosts, the value (GUID) assigned to the SharePoint object to be scanned (SharePointFarmObjectGuid).
IsManagedResourceHost

Indicates whether this managed host can be used to host managed resources (for example, file shares created through the IT Shop self-service request functionality):

  • False: Can not host a managed resource.
  • True: Can host a managed resource.
ApiUserName

The user account used to connect to the target NAS storage device.

Only applies to NFS managed hosts and NetApp OnTap Cluster Mode CIFS managed hosts.

ApiPortNumber

The destination port used for communication between the agent and the target NAS storage device.

Only applies to NFS managed hosts and NetApp OnTap Cluster Mode CIFS managed hosts.

ResourceActivityTrackingSupported

Indicates whether resource activity collection is enabled.

IsNfsHost

Indicates whether this is an NFS managed host.

IsEmcHost

Indicates whether this is an EMC managed host.

IsNetAppHost

Indicates whether this is a NetApp managed host.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating