Granting SQL Server permissions
To grant SQL Server permissions
- Create a new SQL login or use an existing login. (Open SQL Management Studio, connect to the SQL Server, expand the Security node – Logins, and create a new login or select an existing login.)
-
Open the login properties, and select the required server role.
Note: The Public role is selected by default.
- Switch to User Mapping and choose a database for which the permissions need to be granted and select the required database roles.
Granting Active Directory permissions
Service Account is not a member of the Domain Users group
Domain users can Read All Properties and List Content in domains to which they belong. However, when a user account is used to manage a trusted domain, they must be assigned permissions to List Content and grant properties through ADSIEDIT.msc.
If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), the following additional rights are required in the domain to be managed:
- List Contents and Read All Properties rights on the managed domain.
- List Contents and Read All Properties rights on the system container of the managed domain.
- Read All Properties on the OU containing all domain groups.
- Service connection point should be created manually.
These rights will function for forest-wide authentication. For selective authentication, the service account must be a member of the domain you want to manage.
To assign “List Contents” and “Read All Properties” rights on the managed domain
- Right-click the domain root and select Properties.
- Click the Security tab, and click Advanced.
- Click Add, select the required account, and assign List Contents and Read All Properties.
- Apply it to This object only.
To assign “List Contents” and “Read All Properties” rights on the system container of the managed domain
- Right-click the system container and select Properties.
- Click the Security tab, and click Advanced.
- Click Add, select the required account, and assign List Contents and Read All Properties.
- Apply it to This object only.
To assign “Read All Properties” rights to OUs containing all domain groups
- Right-click the domain root, select Properties.
- Click the Security tab, and click Advanced.
- Click Add, select the required account, and assign Read All Properties to all descendant group objects.
To manually create a service connection point
|
|
Note: When the Data Governance service starts up, a Service Connection Point (SCP) is automatically created/updated. The Data Governance Configuration wizard specifies the deployment name assigned to a Data Governance Edition deployment and the Data Governance service will install the SCP with that name. "DEFAULT" is the default deployment name. |
When an account from a trusted domain is used, use the following PowerShell command to register the SCP:
Register-QServiceConnectionPoint –DomainDNSName <Fully Qualified Domain DNS Name> -DeploymentID <Deployment Name> -ServerDNSName <Fully Qualified DGE Server DNS Name> -ServerNetTcpPortNumber 8722
|
|
Note: To find the DeploymentID run the Get-QDeploymentInfo command. |
|
|
Note: The HTTP port aligns with the net.tcp port; therefore, when you specify the ServerNetTcpPortNumber, the HTTP port automatically selects -1 from the port specified in the ServerNetTcpPortNumber parameter. |
If you find it necessary to remove the SCPs from a single Data Governance Edition deployment or all deployments, use the Remove -QServiceConnectionPoint PowerShell command.
Data Governance Edition required ports
|
|
Note: For agent deployments, open the following file and printer sharing ports:
|
| Port | Direction | Description | ||||
|---|---|---|---|---|---|---|
|
8721 |
Incoming |
TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell. | ||||
|
8722 |
Incoming |
TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.
| ||||
|
8723 |
Incoming |
HTTP port used for communication with the One Identity Manager web server (/landing and /home pages). | ||||
|
18530 - 18630 |
Incoming |
TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled. |
Install One Identity Manager Data Governance Edition
A Data Governance Edition deployment relies on a successfully deployed One Identity Manager. The intent of this guide is to focus on the Data Governance Edition components. For complete details on installing and configuring the One Identity Manager components see the One Identity Manager Installation Guide.
|
|
Note: One Identity Manager Data Governance Edition requires a number of "modules" to be enabled during installation in order to provide the proper connectivity to Active Directory, File System, and SharePoint as well as presenting IT and business functions throughout the product. Installing One Identity Manager Data Governance Edition ensures that you have the required modules available. If you have NetApp or EMC Isilon storage devices with NFS file system protocol enabled and want to add NFS managed hosts to your Data Governance Edition deployment, you must also install the UNIX module. Data Governance Edition does NOT require the CSM module for scanning folders hosted on SharePoint Online or OneDrive for Business host types. |
To install One Identity Manager Data Governance Edition:
- Run the Autorun.exe. Open the Installation page and install One Identity Manager Data Governance Edition.
-
The One Identity Manager Data Governance Edition setup wizard appears. Click Next to start the installation and follow the prompts on the screens.
Note: To install the UNIX module required for NFS managed hosts:
- On the Installation Settings page of the setup wizard, select the Add more modules to the selected edition check box.
- On the Module selection page, select Unix under the Target Systems pane.
- Once the installation has successfully completed, use the options on the last page of the setup wizard to run the following configuration programs:
- Run the Configuration wizard to create and configure the One Identity Manager database.
-
Run the Job Service Configuration to configure the One Identity Manager service.
NOTE: Once the job service configuration is completed, perform the following steps to ensure that the One Identity Manager service (job server) is successfully configured for use with Data Governance Edition.
- Launch the Windows Services snap-in and locate the One Identity Manager Service.
- Double-click to open the properties dialog.
- Open the Log On tab and select the This account option. Enter the user account and credentials to be used for the service.
- Click Apply and then click OK to close the properties dialog.
- Launch the Designer.
- In the lower pane of the navigation view, select Base Data.
- In the Base Data navigation view, select Installation | Job server.
- At the bottom of the right-hand pane, select the Server functions tab. Ensure that the following server functions are checked (Double-click a server function to select it.):
- Active Directory connector
- CSV connector
- Data Governance connector
- Default report server
- One Identity Manager connector
- SharePoint connector
- SMTP host
- Unix connector (if scanning NFS managed hosts)
After ensuring these server functions are selected, click the
Commit to database tool bar button.
- Select the One Identity Manager Service configuration tab (bottom of the right-hand pane). Ensure the job server configuration file previously created is being used.
- Click the File open (
) tool bar button.
- Locate and select the JobService.cfg file and click Open.
After ensuring the correct job server configuration file is being used, click the Commit to database tool bar button.
- Click the File open (
- Launch the Services snap-in and start the One Identity Manager Service.
- Launch the Windows Services snap-in and locate the One Identity Manager Service.
-
Run the Data Governance Configuration to deploy the Data Governance server and create the Data Governance Resource Activity database.For more information, see Deploy Data Governance Edition components.
Note: At this point in the process, you can launch the Manager to configure Data Governance service accounts and managed domains, add managed hosts and deploy agents. For more information on service accounts and managed domains. see Authentication using service accounts and managed domains. For more information on managed hosts and agents, see Working with managed hosts and agents.
- Back on the Installation page of the Autorun, install the Web based components. For more information, see the One Identity Manager Installation Guide.
- To get a complete view of your environment, run the One Identity Manager Synchronization Editor to synchronize your target environments (Active Directory, SharePoint and Unix). For more information, see Post installation configuration.