Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment About us

Cloud Provider page

The Cloud Provider page appears when managing a cloud resource. Use this page to enter the Office 365 domain and administrator account login credentials to be used to authenticate with the Data Governance Edition API cloud proxy. This API cloud proxy provides a consistent method for Data Governance Edition to interface with different cloud providers. When valid login credentials are provided, the system issues an access token which is used during the current and subsequent sessions to access resources hosted by the specified cloud provider.

Note: This page only applies to Cloud managed hosts.

Table 21: Cloud Provider page: Controls
Control Description
<DomainName> .onmicrosoft.com

Enter the name of the Office 365 domain to be used.

For example: Enter MyDomain as the domain name.

NOTE: Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.
Email

Enter the email address of the administrator account to be used to authenticate with the cloud proxy.

For example: Administrator@MyDomain.onmicrosoft.com

NOTE: You must create a separate administrator account for this purpose. This administrator account must be, or have equal access as, a SharePoint Online Administrator. Each site will be modified to list this account as a Site Collection Administrator for the site. This provides the account with access to the site's contents.

For SharePoint Online, create a separate Global Administrator account.

Password Enter the password associated with the specified email account.
Continue

After entering the Office 365 domain and administrator account login credentials, clicking the Continue button redirects you to Microsoft to sign in to your account and grant access to Office 365 data.

  1. The administrator account previously entered is displayed.
  2. Re-enter the password associated with the specified administrator account.
  3. Click Sign In.
  4. Click Accept to agree to the access required by the Data Governance Edition API cloud proxy.

Data Governance Edition will then have access to the specified resources for all users in your organization; no other user will be prompted to enter credentials.

Agents page

Use the Agents page of the Managed Hosts Settings dialog to configure the agent(s) to be used to monitor remote managed hosts and SharePoint farms. Once an agent is deployed, use the Agents view to check its status and performance metrics.

Note: For EMC managed hosts, if you are collecting resource activity (Collect and aggregate events on the Resource Activity page) or real-time security updates (Collect activity for real-time security updates on the Security Scanning page), you can only specify one agent to scan the EMC storage device.

Note: You can only specify one agent to scan a cloud host.

Table 22: Agents page: Remote managed hosts
Control/setting Description
Select the agent Select the agent host computer to be used to monitor the target computer.
Select the service account

Select the service account with sufficient permissions to access both the target computer and the agent host.

An agent requires a service account that has the rights to read security information on the remote host. Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

Add After selecting the agent and service account, click the Add button to add it to the Agents list.
Remove

Select an agent from the Agents list and click the Remove button to remove it from the Agents list.

NOTE: Removing the selected agent also removes the configured managed paths for the agent.
Agent list

Displays the agent(s) selected to monitor the target computer.

NOTE: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.
Table 23: Agents page: SharePoint farm managed hosts
Control/setting Description
Agent Service Account

Select the service account with sufficient permissions to access the SharePoint farm.

The service account must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). The SharePoint farm account also needs to be added to the local Administrators group on the SharePoint server.

Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

Managed paths page

Managed paths determine the unstructured data for which a security index is maintained. A managed path is the root of an NTFS directory tree to be scanned by an agent, or a point in your SharePoint farm hierarchy below which everything is scanned. The agent monitors the specified managed paths for changes to security settings to maintain the security index. In addition, if resource activity collection is enabled, the agent collects resource activity for resources within these same managed paths.

Use the Managed Paths page on the Managed Host Settings dialog to specify the paths to be monitored and scanned for the target managed host.

NOTE: For all managed host types, when placing a resource under governance, the resource must be a managed path or a folder or share under a managed path.

  • For remote managed hosts, if you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. If the managed host has more than one agent assigned, you are prompted to select which agent to add the managed path to.
  • For local managed hosts, if you are scanning managed paths (that is, there are paths in the managed paths list), and you select to place a resource under governance that is not yet defined as a managed path, the path is automatically added to the managed paths list. However, if you are scanning the entire server (that is, the managed paths list is empty) and you place a resource under governance, no changes are made to the managed paths list and you continue to scan the entire server.
Table 24: Managed paths page: Controls and settings
Control/setting Description
Managed paths list

Displays the managed paths to be monitored by the agent.

  • For local managed hosts, when this list is empty, all NTFS drives are scanned and monitored (default scan behavior). When paths are added to this list, only the specified paths are scanned and monitored.
  • For remote managed hosts, you must specify the paths to be managed in order for scanning to occur. So if this list is empty, no scanning will occur for the target managed host.
Add

Use the Add button to define the paths to be monitored. Clicking the Add button displays the Managed Paths Picker dialog allowing you to select the paths to be managed and the agent to be used to scan the selected managed paths. On the Managed Paths Picker dialog, click the check box to the left of a path to add it to the managed paths list and use the Agent Selection field to specify the agent to be used to scan the different managed paths.

NOTE: Multiple agents cannot scan the same managed paths on a remote managed host.
Remove Use the Remove button to remove a path from the managed paths list. Select the path(s) to be removed and click the Remove button.

Security Scanning page

Use the Security Scanning page on the Managed Host Settings dialog to define when an agent is to perform the initial security scan and when to watch for changes to the structure and security of the file system. Where possible, schedule the scan to low peak hours to avoid heavy network traffic.

The default behavior for security scanning is different depending on the type of agent deployed:

  • Local agents: By default, local agents begin scanning immediately when the agent is deployed. Subsequent scans occur on the configured schedule, which is daily at 2:00 A.M. by default.
  • Remote agents: Remote agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.
  • SharePoint farm agents: SharePoint farm agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.

You can modify the scan schedule and define the time and frequency with which the agent scans the target computer using the options available on the Security Scanning page. In addition to defining the security scan schedule, you can specify whether to ignore files and only store folder security data, as well as continuously monitor the file system and apply real-time updates to scanned security data.

Note: The schedule times for security scanning are based on the agent's local time.

Table 25: Security scanning page: Controls and settings
Control/setting Description
Scanning Schedule

Use the options in the Scanning Schedule pane to define the frequency at which the agent performs a full security scan on the target managed host.

NOTE: For remote managed hosts and SharePoint managed hosts, managed paths must be defined for scanning to occur. For more information, see Managed paths page.

Scan start time

Specifies the local time of day, with respect to the machine on which the agent is running, when the security scan is to start. The default start time is 2:00:00 AM. To change this time, use the arrow controls to specify a new time.

NOTE: When the Immediately scan on agent restart or when managed paths change option is selected, the scan start time is ignore for the initial scan.

Run Daily

Select this option to scan the target computer on a daily schedule. Use the days of the week check boxes to define when the scan will occur during the week and the Scan start time field to specify the time the daily scan is to begin.

  • Days of the week: Specifies the days of the week to be included/excluded from the daily run. All days of the week are selected by default. Click the corresponding day check box to clear the check box and exclude that day from the daily schedule.

NOTE: For all agents, this option is selected by default along with a scan start time of 2:00 A.M. However, since local agents also have the Immediately scan on agent restart or when managed paths change option selected by default, the initial scan starts immediately when a local agent is deployed. This daily schedule is then used for subsequent scans by the agent. For remote and SharePoint agents, this daily schedule is used for the initial and subsequent scans.

Run on an interval

Select this option to scan the target computer on an hourly interval instead of a daily schedule. Selecting this option enables the Every control to specify the interval to be used.

  • Every: Specifies the hour interval to be used. Every 4 hours is specified by default. Click the arrow controls to select a different hour interval.

NOTE: When using the Run on an interval option, it is possible to choose a frequency such that the agent is still busy completing the last scan when the next scan should start. In this case, the scan that could not start on time is skipped and the next scan starts as normal.

Run once

Select this option to schedule a single security scan of the agent.

NOTE: When the Run once option is selected, the Collect activity for real-time security updates option is automatically selected. This is to ensure that changes to the structure and security of the file system on the target managed host are applied to the scanned data.
Immediately scan on agent restart or when managed paths change

Select the Immediately scan on agent restart or when managed paths change option if you want the agent to scan immediately when it is added, when the agent is restarted and when any managed paths are changed.

NOTE: For local agents, this option is selected by default. To delay the initial scan and use a configured scan time, clear this check box and use the options in the Scanning Schedule pane to define when to start the agent scan.
Ignore all files and only store folder security data

The Ignore all files and only store folder security data indicates whether the agent is to capture file security data for the target managed host during an agent scan. When this option is cleared, the agent will include file security data in the agent scan.

NOTE: For all supported managed host types, this option is selected by default, indicating that only folder security data is to be scanned.

NOTE: This option is not available for NFS host types.
Collect activity for real-time security updates

Select the Collect activity for real-time security updates option to have the agent watch for changes to the structure and security of the file system on the target managed host (that is, monitor create, delete, and rename operations, as well as DACL, SACL, and Owner changes). This results in a more up-to-date security index.

NOTE: When the Run once option is selected, this option is automatically selected to ensure that change to the structure and security of the files system on the target host are applied to the scanned data.

NOTE: When using Change Auditor to collect resource activity, it is not recommended to enable the Collect activity for real-time security updates on EMC or NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.

NOTE: This option is not available for Generic, SharePoint Farm, SharePoint Online or OneDrive for Business host types.

NOTE: When changing this setting, the agent starts watching for changes during and following the next scheduled full scan.
Related Documents