Identity Manager Data Governance Edition 8.0.1 - Technical Insight Guide

Manually deploying Data Governance service

You need the following to manually deploy the Data Governance service:

• Data Governance Server installation msi
• Local Administrator rights on the server where the Data Governance service is to be installed.
• Installation of the One Identity Manager client applications (including the Data Governance Edition PowerShell snap-in)
• Ability to change One Identity Manager configuration options in the Designer application
• Connection information to the One Identity Manager database
• Database creation permissions (if creating the Data Governance Resource Activity database)

To manually deploy the Data Governance service

1. Log on to the system with the One Identity Manager client installation.
2. Open the Designer and log on as a system user with administrative privileges (for example, viadmin)
3. Edit the Data Governance service configuration parameters: 
   1. In the navigation view, select Base Data | General | Configuration parameters.
   2. In the far right column, click Edit configuration parameters.
   3. Expand TargetSystem | ADS | QAM | QAMServer.
   4. Change the ServerName value to the fully qualified DNS name of the server where the Data Governance service is to be installed.
   5. Set the Port value to the net.tcp port your server will listen on. The HTTP port will automatically be configured to use the net.tcp port value -1.

   6. Set the Deployment value to the name of your Data Governance Edition deployment.

      Note: This defaults to "DEFAULT". If you are going to or already have multiple Data Governance Edition deployments in your Active Directory forest, you must ensure this name is unique. The Deployment value is restricted to a maximum of 30 characters and can contain alphanumeric characters and underscores (no spaces).

4. Use the LocalSystem account to log on to the Data Governance server specified above and run the Data Governance Server installation msi.

   Note: When you run the MSIEXEC from a command prompt, you must be running as local system. This ensures that the service connection point can be updated no matter what your Data Governance service runs as.

   Example: ->msiexec /i "DataGovernance_ServerComponentsInstaller_x64.msi" /lv C:\DgeMsintallLog QAMDEPLOYMENT="testNew" QAMPORT=8722

   Note: Refer to the Microsoft documentation for command line syntax of MSIEXEC.EXE. For more information on using the Windows Installer (MSIEXEC.exe) refer to Microsoft's MSDN library: https://msdn.microsoft.com/en-us/library/aa367988(VS.85).aspx See Data Governance service options for a description of the Data Governance deployment options available.

5. Open a Windows PowerShell console on the machine with the One Identity Manager client installation.

6. Run the following cmdlet to import the Data Governance Edition PowerShell module:

   Import Module "<path>"

   Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine would be "C\:Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll"

7. Run the following PowerShell cmdlet to set the server name, deployment name and port information used by the Data Governance Edition commands to connect to the Data Governance server:

   Set-QServiceConnection -ServerName "<DGE server machine name>" -Port <Value> - Deployment "<Deployment name>"

   Note: The <DGE server machine name>, Port <Value> and <Deployment name> must be the same values as specified in step 3.

8. Close the PowerShell console and restart the Data Governance service.

9. Run the following PowerShell cmdlet to establish the database connection between One Identity Manager and Data Governance Edition:

   Initialize-QDataGovernanceServer -DatabaseConnectionString "<Connection string for Identity Manager database>" [-IdentityManagerIsOracle] [-DefaultEmployeeSid "<SID of user account>"

   Note: Only specify the "-IdentityManagerIsOracle" flag if the One Identity Manager database is hosted by an Oracle database management system.

   Note: Only specify the "-DefaultEmployeeSid" parameter if you want to take advantage of the automatic forest topology harvest. Adding this parameter adds the user associated with the specified SID to the One Identity Manager Employees with the appropriate Data Governance application roles. This provides the same functionality as selecting the Add the current user to the One Identity Manager Employees with Data Governance application roles option when using the Data Governance Configuration wizard.

   Note: If Windows Integrated Authentication is used to connect to the database, the Data Governance server must be configured to run as an identity other than LocalSystem (See step 4).

   Connection string examples:

   An example of a connection string for Windows authentication may look like this:

   "Server=myServerAddress;Database=myDatabase'UserId=myUser;Password=myPassword;Trusted_Connection=True"

   An example of a connection string for SQL authentication may look like this:

   "Data Source=myServerAddress;Intitial Catalog=myDatabase;User Id=myUser;Password=myPassword"

   An example of a connection string for Oracle may look like this:

   "Server=myServerAddress;User Id=myUser;Password=myPassword;Direct=true;Connect mode=Direct;Service name=ServiceNameOfOracleInstance;Port=myPort"

   For more information on connection strings, see The Connection String Reference.

10. Using your preferred database management tool, browse on the Data Governance server to the %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server\Activity Database Scripts folder and locate a file named "DGAuditDatabaseCreationScript.sql" for SQL Server or "DGAuditDatabaseCreationScriptOracle.sql" for Oracle.

11. For SQL Server hosted databases, open the DCAuditDatabaseCreationScript.sql file and update the database name specified in the CREATE DATABASE and USE statements.

    Note: If you are running multiple Data Governance Edition deployments, it is highly recommended that you append the deployment name to the database name (for example, DGE_DEFAULT). This database name has a maximum length of 30 characters and can contain alphanumeric characters and underscores (no spaces).

    Skip to step 13.

12. For Oracle hosted databases, only modify the DGAuditDatabaseCreationScriptOracle.sql file if you changed the name of the default tablespaces (USERS and TEMP) created when a new database is created. To specify the custom tablespace name, open the .sql file, search for "TABLESPACE USERS: and change "USERS" to the appropriate tablespace name.

    In addition, you must pre-stage the DGE User\Database name (DGE_DEFAULT in the sample query provided in the note below). Then login with that DGE User\Database name to run the .sql script.

    Note: Oracle hosted databases: Sample query for pre-staging DGE User/Database name: --USER SQL CREATE USER DGE_DEFAULT IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP"; ACCOUNT UNLOCK; --QUOTAS --ROLES GRANT "CONNECT" TO DGE_DEFAULT; ALTER USER DGE_DEFAULT ROLE "CONNECT"; --SYSTEM PRIVILEGES GRANT UNLIMITED TABLESPACE TO DGE_DEFAULT; GRANT ALTER SESSION TO DGE_DEFAULT; GRANT SELECT ON GV_$SESSION TO DGE_DEFAULT; GRANT SELECT ON V_$VERSION TO DGE_DEFAULT; GRANT EXECUTE ON DBMS_CRYPTO TO DGE_DEFAULT; GRANT CREATE TYPE TO DGE_DEFAULT; GRANT CREATE TABLE TO DGE_DEFAULT; GRANT CREATE VIEW TO DGE_DEFAULT; GRANT CREATE PROCEDURE TO DGE_DEFAULT; GRANT CREATE SEQUENCE TO DGE_DEFAULT; GRANT CREATE SYNONYM TO DGE_DEFAULT; GRANT CREATE TRIGGER TO DGE_DEFAULT; GRANT ANALYZE ANY TO DGE_DEFAULT; GRANT CREATE JOB TO DGE_DEFAULT; GRANT SELECT ON GV_$OSSTAT TO DGE_DEFAULT; GRANT EXECUTE ON DBMS_LOCK TO DGE_DEFAULT; GRANT EXECUTE ON DBMS_PIPE TO DGE_DEFAULT; GRANT EXECUTE ON DBMS_ALERT TO DGE_DEFAULT;

13. Run the appropriate script for your database management system to create the Data Governance Resource Activity database.

14. Run the following PowerShell cmdlet to initialize the database to store data generated when a managed host has resource activity collection enabled:

    Initialize-QDataGovernanceActivity -ConnectionString "<Connection string to activity database>" [-ActivityDatatbaseOracle]

    Note: Ensure the connection string's Initial Catalog value (Database value if using Windows authentication) matches the name you specifies in the sql script when creating the Data Governance Resource Activity database.

    Note: Only use the "-ActivityDatabaseOracle" flag if your Data Governance Resource Activity database is hosted by an Oracle database management system.

15. Restart the Data Governance service.

    Note: It might take a few minutes before the Data Governance topology harvest task begins.

Data Governance service options

The Data Governance service installer is included in the autorun and can be found in the QAM module's directory. For example, C:\<DGE Build>\Modules\QAM\dvd\DataGovernance_ServerComponentsInstaller_x64.msi.

The following options are available when using the Windows Installer .msi to install the Data Governance service.

Data Governance agents

The One Identity Manager Data Governance Edition Deployment Guide provides details on adding managed hosts and deploying Data Governance agents; the information provided here is intended to provide more information about this deployment process and the Data Governance agents.

• Agent deployment process
• Agent files
• Data Governance agent configuration

Agent deployment process

1. The Data Governance service pushes the "QRemoteExecutorService.exe" file onto the agent host under a hidden folder:

   \\AgentHost\admin$\Broadway\AgentManagement

2. The Remote Executor is started on the agent, determines the agent architecture, and sends the data back to the Data Governance service.
3. The Data Governance service pushes the correct agent installer to the same location as the Remote Executor.
4. The Remote Executor installs the agent to %ProgramFiles%\One Identity\One Identity Manager Data Governance\Agent Services by default.

   1. Local agents are named "DGE_<DeploymentName>_LocalHost"

      Example: DGE_DEFAULT_LocalHost

   2. Remote agents are named "DGE_<DeploymentName>_<FQDN of managed host>"

      Example: DGE_DEFAULT_flowernetapp_flowers_local

   3. SharePoint Farm agents are named "DGE_<DeploymentName>_Sharepoint"

      Example: DGE_DEFAULT_Sharepoint

      NOTE: For multi-agent SharePoint managed hosts, an number is appended to the end of the agent service name. Example: DGE_DEFAULT_Sharepoint_1, DGE_DEFAULT_Sharepoint_2, DGE_DEFAULT_Sharepoint_3, and so on.

   4. SharePoint Online agents are named "DGE_<DeploymentName>_SharePointOnline_<Office 365 Host>"

      Example: DGE_DEFAULT_SharePointOnline_DGEPROD.ONMICROSOFT.COM

   5. OneDrive for Business agents are named "DGE_<DeploymentName>_OneDriveBusiness_<Office 365 Host>"

      Example: DGE_DEFAULT_OneDriveBusiness_DGEPROD.ONMICROSOFT.COM

5. The Data Governance service grants the service account used for agent deployment a few local privileges, including:
   1. SE_SERVICE_LOGON_RIGHT
   2. SE_TCB_NAME
   3. SE_RESTORE_NAME
   4. SE_BACKUP_NAME