Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0.1 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Security scanning page

Use the Security Scanning page on the Managed Host Settings dialog to define when an agent is to perform the initial security scan and when to watch for changes to the structure and security of the file system. Where possible, schedule the scan to low peak hours to avoid heavy network traffic.

The default behavior for security scanning is different depending on the type of agent deployed:

  • Local agents: By default, local agents begin scanning immediately when the agent is deployed. Subsequent scans occur on the configured schedule, which is daily at 2:00 A.M. by default.
  • Remote agents: Remote agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.
  • SharePoint farm agents: SharePoint farm agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.

You can modify the scan schedule and define the time and frequency with which the agent scans the target computer using the options available on the Security Scanning page. In addition to defining the security scan schedule, you can specify whether to ignore files and only store folder security data, as well as continuously monitor the file system and apply real-time updates to scanned security data.

Note: The schedule times for security scanning are based on the agent's local time.

Table 50: Security scanning page: Controls and settings
Control/setting Description
Scanning Schedule

Use the options in the Scanning Schedule pane to define the frequency at which the agent performs a full security scan on the target managed host.

 NOTE: For remote managed hosts and SharePoint managed hosts, managed paths must be defined for scanning to occur. For more information, see Managed paths page.

Scan start time

Specifies the local time of day, with respect to the machine on which the agent is running, when the security scan is to start. The default start time is 2:00:00 AM. To change this time, use the arrow controls to specify a new time.

NOTE: When the Immediately scan on agent restart or when managed paths change option is selected, the scan start time is ignore for the initial scan.

Run Daily

Select this option to scan the target computer on a daily schedule. Use the days of the week check boxes to define when the scan will occur during the week and the Scan start time field to specify the time the daily scan is to begin.

  • Days of the week: Specifies the days of the week to be included/excluded from the daily run. All days of the week are selected by default. Click the corresponding day check box to clear the check box and exclude that day from the daily schedule.

NOTE: For all agents, this option is selected by default along with a scan start time of 2:00 A.M. However, since local agents also have the Immediately scan on agent restart or when managed paths change option selected by default, the initial scan starts immediately when a local agent is deployed. This daily schedule is then used for subsequent scans by the agent. For remote and SharePoint agents, this daily schedule is used for the initial and subsequent scans.

Run on an interval

Select this option to scan the target computer on an hourly interval instead of a daily schedule. Selecting this option enables the Every control to specify the interval to be used.

  • Every: Specifies the hour interval to be used. Every 4 hours is specified by default. Click the arrow controls to select a different hour interval.

NOTE: When using the Run on an interval option, it is possible to choose a frequency such that the agent is still busy completing the last scan when the next scan should start. In this case, the scan that could not start on time is skipped and the next scan starts as normal.

Run once

Select this option to schedule a single security scan of the agent.

NOTE: When the Run once option is selected, the Collect activity for real-time security updates option is automatically selected. This is to ensure that changes to the structure and security of the file system on the target managed host are applied to the scanned data.

Immediately scan on agent restart or when managed paths change

Select the Immediately scan on agent restart or when managed paths change option if you want the agent to scan immediately when it is added, when the agent is restarted and when any managed paths are changed.

 NOTE: For local agents, this option is selected by default. To delay the initial scan and use a configured scan time, clear this check box and use the options in the Scanning Schedule pane to define when to start the agent scan.
Ignore all files and only store folder security data

The Ignore all files and only store folder security data indicates whether the agent is to capture file security data for the target managed host during an agent scan. When this option is cleared, the agent will include file security data in the agent scan.

NOTE: For all supported managed host types, this option is selected by default, indicating that only folder security data is to be scanned.

 NOTE: This option is not available for NFS host types.
Collect activity for real-time security updates

Select the Collect activity for real-time security updates option to have the agent watch for changes to the structure and security of the file system on the target managed host (that is, monitor create, delete, and rename operations, as well as DACL, SACL, and Owner changes). This results in a more up-to-date security index.

NOTE: When the Run once option is selected, this option is automatically selected to ensure that change to the structure and security of the files system on the target host are applied to the scanned data.

NOTE: When using Change Auditor to collect resource activity, it is not recommended to enable the Collect activity for real-time security updates on EMC or NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.

 NOTE: This option is not available for Generic, SharePoint Farm, SharePoint Online or OneDrive for Business host types.

 NOTE: When changing this setting, the agent starts watching for changes during and following the next scheduled full scan.

Resource activity page

You can collect resource activity on local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts. Resource activity collection is not supported for Windows Cluster/Remote Windows Computer, Generic, or Cloud managed hosts.

Note: Limitations with collecting resource activity on EMC storage devices:

  • EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.
  • EMC VNX activity collection by Data Governance agents is not supported for storage devices with multiple CIFS exposed virtual data movers.
  • Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts.
  • If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity from your EMC device with both Change Auditor and Data Governance Edition.

When enabled, you can configure to collect data on identities, reads, writes, creates, deletes, renames, and security changes on securable objects. Resource activity summary information is used to calculate ownership and for generating activity-related reports, including:

Important: By default, the collection of resource activity is disabled. You can enable it when you configure your managed hosts. However, collecting resource activity on your managed hosts impacts network usage and increases load on the Resource Activity database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation is important to limit some of this load. You should carefully plan out which servers you want to collect activity on and enable it only on those machines.

If you are collecting resource activity, it is recommended that you set up a scheduled execution of the activity database compression utility. This utility compresses the activity in your database that is older than a certain age and optionally purges entries that are even older. This is essential in ensuring your database remains manageable. For more information on the activity database compression utility, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Note: Data Governance Edition may report certain operations in unexpected ways. For example, in some instances a file rename operation may be represented as a delete and a create. This is normal behavior and depends on the system, or in some cases, the applications being used to interact with the resources.

Note: The time stamps for resource activity are based on the agent local time.

The Resource Activity page on the Managed Host Settings dialog contains the following information and options to configure the collection and aggregation of resource activity.

Table 51: Managed host settings: Resource Activity page
Field Description
No activity (scheduled security scans only)

Use this option if you do not want to collect resource activity for the target managed host.

 NOTE: For all types of managed hosts, this option is selected by default indicating that resource activity in not being collected for the target managed host.
Collect and aggregate events

Select this option to collect resource activity for the target managed host. When this option is selected, you can configure the events to be collected and the aggregation interval to be used to compress the activity data.

 NOTE: For SharePoint farm managed hosts, native SharePoint auditing must be enabled in order to collect resource activity.

 NOTE: For NetApp managed hosts, the FPolicy settings control the activity sent to the agent, unless resource activity is being collected directly from Change Auditor. For more information, see FPolicy deployment.

 NOTE: For EMC Celerra/VNX devices, you must configure the cepp.conf. For more information, see Creating the cepp.conf file (Celerra or VNX devices).

 NOTE: For EMC Isilon CIFS devices, you must enable auditing. For more information, see Enabling system configuration auditing (Isilon devices).

 NOTE: When using Change Auditor to collect resource activity, this option is selected by default. For more information, see the Post installation configuration chapter in the One Identity Manager Data Governance Edition Deployment Guide.
Events

Select or clear the check boxes to specify the type of events to be included in the resource activity collection process:

  • Security change
  • Create
  • Delete
  • Rename
  • Write
  • Read (Disabled by default)

NOTE: When resource activity collection is enabled, read operations are not collected by default. Care should be taken when enabling read operations because they may cause performance issues.
Aggregation

Select how often you would like to aggregate the data. Valid aggregation intervals are:

  • 5 minutes
  • 1 hours
  • 8 hours (default)
  • 1 day

All activity is aggregated within the set time frame, which is 8 hours by default. For example, if a user reads a file ten times within the time frame, it appears as a single line item with a count of 10.

 NOTE: The aggregation interval should be chosen carefully. A shorter interval gives more granular information about activities but can cause the size of the database to use up all the disk space on the server.

 NOTE: When using Change Auditor to collect resource activity, the aggregation setting is not available. Change Auditor is configured to collect events every 15 minutes on all managed hosts. For more information, see the Post installation configuration chapter in the One Identity Manager Data Governance Edition Deployment Guide

Resource Activity Exclusions

Click this button to specify the accounts, file extensions, and folders to be excluded from the resource activity collection process. By focusing on the objects in whose activity you are interested, you can reduce network traffic.

Certain well known system accounts, file extensions, and folders are excluded by default, such as:

  • Accounts: Local Service, Network Service, Null SID, System

    		 NOTE: The Accounts tab is not available for NFS managed hosts.
  • File Extensions: Database files, Disc Image files, Email files, Executable files, Explorer Metadata files, Log files, Shortcut files, Temporary files, and Virtual machine files

  • Folders: %SystemRoot%, %ProgramFiles%, %ProgramFiles(x86)%

By default, the Data Governance agent excludes the run as account (local managed hosts) and the domain service account (remote managed hosts) from activity collection and aggregation regardless if the service account is specified in the Resource Activity Exclusions list. The service account for SharePoint farm managed hosts are not excluded by default; you will need to add the SharePoint service account manually for SharePoint farm managed hosts.

To see the full list, click the Resource Activity Exclusions button.

  • If the list is empty on the Resource activity exclusions dialog, click Default to populate the exclusions list with default values.
  • To add an object to the exclusion list, click Add and specify the account, file extension or folder.

NOTE: When using Change Auditor to collect resource activity, the Resource Activity Exclusions feature is not available. For more information, see the Post installation configuration chapter in the One Identity Manager Data Governance Edition Deployment Guide.

View/Update cepp.conf

For EMC Celerra/VNX hosts, this button allows you to view or update the cepp.conf file for the selected data mover.

Clicking this button displays a Logon Credentials dialog allowing you to enter the EMC Celerra/VNX control station credentials and to select the data mover to be scanned.

  • Control Station: Enter the IP address or host name of the EMC Celerra/VNX control station.
  • User: Enter the user name of an account with administrative rights on the specified control station.

  • Password: Enter the password associated with the user account entered.

    The client attempts to connect and loads the list of available data movers on the specified device.

  • Data Mover: Select the data mover that holds the managed paths you wish to monitor and will also be associated with resource activity collection.

The client then retrieves and displays the cepp.conf file from the selected data mover. You can edit the Proposed cepp.conf file (lower pane) as needed. To save your edits, select Update File. The client then sends the Proposed cepp.conf file to the EMC device. It will stop and start the cepp service for the selected data mover to apply the new cepp.conf file.

Click the Check Status button to retrieve the same information you wold get if you ran "server_cepp server_2-pool-info" on the EMC device.

Resource activity exclusions dialog

The Resource activity exclusions dialog allows you to specify the accounts, file extensions or folders to be excluded from resource activity tracking. This dialog appears when you click the Resource Activity Exclusions button on the Managed Host Settings dialog.

This dialog contains the following controls:

Table 52: Resource activity exclusions dialog: Controls
Tab/Control Description
Accounts

Use the Accounts tabbed page to specify accounts that are to be excluded from resource activity tracking. By default, the following accounts are excluded:

  • Local Service
  • Network service
  • Null SID
  • System

NOTE: The agent will always filter out activity generated by the agent service account regardless if the service account is specified in the Resource Activity Exclusions. This applies to all local and remote managed hosts; however, the agent service account for SharePoint managed hosts are not excluded by default. You will need to add the SharePoint service account manually for SharePoint managed hosts.

Use the buttons at the bottom of the dialog, as described below, to add and remove account to this exclusion list.

File Extensions

Use the File Extensions tabbed page to specify file extensions for the types of files to be excluded from resource activity tracking. Click the Default button to view the full list of file extensions that are excluded by default.

Use the buttons at the bottom of the dialog, as described below, to add and remove file extensions to this exclusion list.

 NOTE: N/A for SharePoint managed hosts.
Folders

User the Folders tabbed page to specify the folders to be excluded from resource activity tracking. By default the following folders are excluded:

  • %SystemRoot$
  • %ProgramFiles%
  • %ProgramFiles(x86)%

Use the buttons at the bottom of the dialog, as described below, to add and remove folders to this exclusion list.

 NOTE: N/A for SharePoint managed hosts.

Export

Click the Export button to save the currently displayed exclusion list. The type of file exported depends on the tabbed page currently displayed:

  • Accounts tab: QAM Account List (*.qamtl)
  • File Extensions tab: QAM Extension List (*.qamel)
  • Folders tab: QAM Folder List (*.qamtf)

Import

Click the Import button to import a previously exported exclusion list. The type of file to be imported depends on the tabbed page currently displayed:

  • Accounts tab: QAM Account List (*.qamtl)
  • File Extensions tab: QAM Extension List (*.qamel)
  • Folders tab: QAM Folder List (*.qamtf)

Default

Click the Default button to view and add the default accounts, file extensions or folders to the displayed exclusion list.

Remove

Click the Remove button to remove the selected object from the displayed exclusion list.

Add

Click the Add button to add an object to the displayed exclusion list.

  • On the Accounts tab, clicking this button displays the Select User or Group dialog allowing you to locate and select a User or Built-in security principal.
  • On the File Extensions tab, clicking this button displays the Add Excluded Extension dialog, allowing you to select a category and enter the file extension to be excluded.
  • In the Folders dialog, clicking this button displays the Specify the folder to exclude dialog, allowing you to enter the name of the folder to be excluded.

OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Apply

Click the Apply button to save your selections without closing the dialog.
Related Topics

Managed host settings dialog

Resource activity page

Editing managed host properties

Editing managed host settings

You can edit the managed host settings for one or more managed hosts of the same host type. For more information on the configuration options available, see Managed host configuration settings. You can also use the Edit host settings task to add, remove or change the agents used to scan a remote managed host. For more information, see Removing agents.

To edit a managed host’s configuration settings

  1. In the Navigation view, select Data Governance | Managed hosts.

  2. In the Managed Hosts view (right pane), select the required managed host with a status of Managed.

  3. Select Edit host settings in the Tasks view or right-click menu.

    The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.

    • Use the Managed Paths page to change the paths to be scanned and monitored.
    • Use the Security Scanning page to change the scanning schedule and scan settings.
    • Use the Resource Activity page to change the resource activity collection and aggregation settings.
  4. After making the required changes, click OK to save your selections and close the dialog.

The agent will scan using the new settings at the next scheduled scan time. However, if you modified the managed paths being scanned and the Immediately scan on agent restart or when managed paths change option is selected on the Security Scanning page, the agent initiates a scan immediately.

To edit multiple managed hosts

Note: When multiple managed hosts are selected, keep in mind that the settings are overwritten for all selected managed hosts and only the settings that are appropriate for the selected managed host type are applied. Because of this, you may notice that not all the same pages are displayed when multiple managed hosts are selected for editing (for example, the Managed Paths page is not displayed).

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select multiple managed hosts with the same host type in the Managed hosts view

  3. Select Edit host properties in the Tasks view or right-click menu.

    The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.

    • Use the Security Scanning page to change the scanning schedule and scan settings.
    • Use the Resource Activity page to change the resource activity collection and aggregation settings.

    The options displayed are the factory default values regardless of the current values of the selected managed hosts.

  4. Select the Apply these settings to all selected managed hosts check box and make the required changes, which will be applied to all selected managed hosts.
  5. Click OK to save your selections and close the dialog.

The agent will scan using the new settings at the next scheduled scan time.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating