To grant SQL Server permissions
Open the login properties, and select the required server role.
|
Note: The Public role is selected by default. |
Domain users can Read All Properties and List Content in domains to which they belong. However, when a user account is used to manage a trusted domain, they must be assigned permissions to List Content and grant properties through ADSIEDIT.msc.
If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), the following additional rights are required in the domain to be managed:
These rights will function for forest-wide authentication. For selective authentication, the service account must be a member of the domain you want to manage.
To assign “List Contents” and “Read All Properties” rights on the managed domain
To assign “List Contents” and “Read All Properties” rights on the system container of the managed domain
To assign “Read All Properties” rights to OUs containing all domain groups
To manually create a service connection point
|
Note: When the Data Governance service starts up, a Service Connection Point (SCP) is automatically created/updated. The Data Governance Configuration wizard specifies the deployment name assigned to a Data Governance Edition deployment and the Data Governance service will install the SCP with that name. "DEFAULT" is the default deployment name. |
When an account from a trusted domain is used, use the following PowerShell command to register the SCP:
Register-QServiceConnectionPoint –DomainDNSName <Fully Qualified Domain DNS Name> -DeploymentID <Deployment Name> -ServerDNSName <Fully Qualified DGE Server DNS Name> -ServerNetTcpPortNumber 8722
|
Note: To find the DeploymentID run the Get-QDeploymentInfo command. |
|
Note: The HTTP port aligns with the net.tcp port; therefore, when you specify the ServerNetTcpPortNumber, the HTTP port automatically selects -1 from the port specified in the ServerNetTcpPortNumber parameter. |
If you find it necessary to remove the SCPs from a single Data Governance Edition deployment or all deployments, use the Remove -QServiceConnectionPoint PowerShell command.
|
Note: For agent deployments, open the following file and printer sharing ports:
|
Port | Direction | Description | ||||
---|---|---|---|---|---|---|
8721 |
Incoming |
TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell. | ||||
8722 |
Incoming |
TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.
| ||||
8723 |
Incoming |
HTTP port used for communication with the One Identity Manager web server (/landing and /home pages). | ||||
18530 - 18630 |
Incoming |
TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled. |
A Data Governance Edition deployment relies on a successfully deployed One Identity Manager. The intent of this guide is to focus on the Data Governance Edition components. For complete details on installing and configuring the One Identity Manager components see the One Identity Manager Installation Guide.
|
Note: One Identity Manager Data Governance Edition requires a number of "modules" to be enabled during installation in order to provide the proper connectivity to Active Directory, File System, and SharePoint as well as presenting IT and business functions throughout the product. Installing One Identity Manager Data Governance Edition ensures that you have the required modules available. If you have NetApp or EMC Isilon storage devices with NFS file system protocol enabled and want to add NFS managed hosts to your Data Governance Edition deployment, you must also install the UNIX module. Data Governance Edition does NOT require the CSM module for scanning folders hosted on SharePoint Online or OneDrive for Business host types. |
To install One Identity Manager Data Governance Edition:
The One Identity Manager Data Governance Edition setup wizard appears. Click Next to start the installation and follow the prompts on the screens.
|
Note: To install the UNIX module required for NFS managed hosts:
|
Run the Job Service Configuration to configure the One Identity Manager service.
|
NOTE: Once the job service configuration is completed, perform the following steps to ensure that the One Identity Manager service (job server) is successfully configured for use with Data Governance Edition.
|
Run the Data Governance Configuration to deploy the Data Governance server and create the Data Governance Resource Activity database.For more information, see Deploy Data Governance Edition components.
|
Note: At this point in the process, you can launch the Manager to configure Data Governance service accounts and managed domains, add managed hosts and deploy agents. For more information on service accounts and managed domains. see Authentication using service accounts and managed domains. For more information on managed hosts and agents, see Working with managed hosts and agents. |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy