Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0.1 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management
About us


Informs the Data Governance server that the managed host state should be updated.


Set-QManagedHostUpdated [-ManagedHostId] <String> [<CommonParameters>]

Table 169: Parameters
Parameter Description

Specify the ID (GUID format) of the managed host whose state should be updated.

Table 170: Examples
Example Description
Set-QManagedHostUpdated -ManagedHostId 6834E1A6-B6C5-4508-867A-1E85B7B81578 Updates the managed host specified by the given managed host id.


By default the Data Governance server synchronizes the DFS structure into the One Identity Manager database every 24 hours. Use this cmdlet to force a DFS synchronization of a DFS managed host, making the DFS path immediately available within the Resource browser.


Trigger-QDfsSync [-ManagedHostId] <String> [<CommonParameters>]

Table 171: Parameters
Parameter Description

Specify the ID (GUID format) of the DFS managed host to be synchronized.

NOTE: Run the Get-QManagedHosts cmdlet without any parameters to retrieve a list of available managed hosts and their IDs.

NOTE: To synchronize all DFS managed hosts in your Data Governance Edition deployment, set the -ManagedHostId to All.
Table 172: Examples
Example Description
Trigger-QDfsSync -ManagedHostId f9568450-7396-47ed-bfed-e1377946c2af Forces a synchronization of the specified DFS managed host.
Trigger-QDfsSync -ManagedHostId All Forces a synchronization of all DFS managed hosts.

Account access management

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

The following commands are available to you to manage account access. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 173: Account access management commands

Use this command

If you want to


View where users and groups have access on a managed host.

For more information, see Get-QAccountAccess.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.


View the resource access for a given account (Domain\SAMAccountName) across all available hosts.

For more information, see Get-QAccountAccessOnHosts.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.


View the activity associated with a user on a managed host.

For more information, see Get-QAccountActivity.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.


View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access.

For more information, see Get-QAccountAliases.


View all account access for a specific managed host.

For more information, see Get-QAccountsForHost.


View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup.

For more information, see Get-QADAccount.


View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource.

For more information, see Get-QGroupMembers.


View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.

For more information, see Get-QIndexedTrustees.


Returns where users and groups have access on a managed host.


Get-QAcccountAccess [-ManagedHostId] <String> [-TargetType] <QAM.Client.PowerShell.TargetType> [-TargetId] <String> [-ResType] <QAM.Client.PowerShell.QueryResourceType> [[-AccountOrigin] [<String>] [[-Direct] [<SwitchParameter>]] [[-Exclusions] [<String[]>]] [[-DataUnderGovernance] [<SwitchParameter>]] [<CommonParameters>]

Table 174: Parameters
Parameter Description

Specify the ID (GUID format) of the managed host whose access you are interested in.

NOTE: Run the Get-QManagedHosts command to retrieve a list of managed hosts and their IDs.

Specify one of the following types for the target object:

  • Account
  • Employee
TargetId Specify the ObjectSid for the account or employee.

Specify the type of resource to be queried. Valid values are:

  • CloudFiles
  • CloudFolders
  • Files
  • Folders
  • Shares
  • LocalOSRights
  • AdminRights
  • ServiceIdentities
  • SharePointResources
  • SharePointFarmAdminRights
  • SharePointWebAppPolicies
  • SharePointSiteCollectionAdminRights

(Optional) Specify the origin of the trustee SID specified in the query. Enter the DNS name of the reference domain or computer for the SID.

NOTE: If this parameter is not specified, the server will attempt to infer it.

(Optional) Specify this parameter if you want the query to retrieve only direct access points.

NOTE: If this parameter is not specified, group membership expansion should be taken into account.

(Optional) Specify a list of trustees that are not to be considered for account access via group membership. This means that if the account being considered is a member of one of the excluded trustees, that access will be ignored.

The list must be an array of strings in the following format: [domain DNS name:]SID. The domain DNS name portion can be excluded, in which case Data Governance Edition will infer what it can. For built-in accounts, a missing DNS name means that all of the instances of the provided SID must be excluded.


(Optional) Specify this parameter if you want to include only governed resources in your query.

NOTE: If this parameter is not specified, the query will include all resources.
Table 175: Examples
Example Description

Get-QAccountAccess -ManagedHostId 72eed1b9-bf06-4bb9-9ac4-1886daafc514 -TargetId 6a894591-f707-41e5-a187-6b379d07c043 -ResType Folders -AccountOrigin xdomain.local -TargetType Employee -Direct $true

Looks at a managed host with id 72eed1b9-bf06-4bb9-9ac4-1886daafc514. The account or trustee in question has a SID of 6a894591-f707-41e5-a187-6b379d07c043, its type is Employee and the resource type is folders.
Details retrieved:
Table 176: Details retrieved
Detail Description
RightType The access right type.
ItemResourceType The resource type.
ResourceURI The URI of the resource to which the trustee has access.
TrusteeDisplayName The display name of the trustee.
TrusteeSid The SID assigned to the account (trustee).
HostName The host where the resource resides.
Rights The specific access rights assigned.
AppliesTo What the rights apply to.
Inheritance The type of inheritance.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating