Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Release Notes

Resource Activity database server

The Resource Activity Database server refers to the server hosting the Data Governance Edition Resource Activity database.

Note: You can use your pre-existing One Identity Manager database server to host the resource activity database.

This server must meet the following system requirements.

Table 26: Minimum system requirements: Resource Activity Database server
Processor quad core CPU
Memory 16GB RAM
Free disk space 100GB

Supported target systems

The following systems are supported to be scanned.

Table 27: Supported target systems
Target Version Additional notes

Windows Server

The following Windows Server versions are supported for scanning (local or remote managed hosts):

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Resource activity collection is not supported for remotely managed Windows Server hosts.

Windows Cluster

The following failover clusters are supported for scanning (remote managed host):

  • Windows 2008
  • Windows 2008 (R2)
  • Windows 2012
  • Windows 2012 (R2)
  • Windows 2016

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Resource activity collection is not supported for Windows clusters.

NetApp CIFS Devices

The following NetApp filer versions (with CIFS file system protocol enabled) are supported for scanning (remote managed host):

  • NetApp ONTAP 7.3
  • NetApp ONTAP 8.0
  • NetApp ONTAP 8.1
  • NetApp ONTAP 8.2
  • NetApp ONTAP 8.3

NOTE: Both NetApp 7-Mode and Cluster Mode are supported.

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

Real-time security updates and resource activity collection are not supported on versions of NetApp ONTAP filers earlier than 7.3.

NetApp storage devices require additional configuration.

NetApp NFS Devices

The following NetApp filer versions (with NFS file system protocol enabled) are supported for scanning (remote managed host):

  • NetApp ONTAP 7.3
  • NetApp OnTAP 8.0
  • NetApp ONTAP 8.1
  • NetApp ONTAP 8.2
  • NetApp ONTAP 8.3

NOTE: Both NetApp 7-Mode and Cluster Mode are supported.

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process.

For NetApp 7-Mode managed hosts, real-time security updates and resource activity collection require FPolicy; and in order to use FPolicy, CIFS must be installed and running.

NetApp storage devices require additional configuration.

EMC CIFS Devices

The following EMC devices are supported for scanning (remote managed host):

  • EMC Celerra
  • EMC VNX
  • EMC Isilon

The following EMC Framework versions (with CIFS file system protocol enabled) are supported:

  • Common Event Enabler (CEE) 7.1 (or higher)

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

VNXe is not supported. VNXe does not support CEPA currently and therefore Data Governance Edition will not run successfully in VNXe environments.

EMC storage devices require additional configuration.

EMC Isilon NFS Devices

The following EMC Isilon devices (with NFS file system protocol enabled) are supported for scanning (remote managed host):

  • EMC Isilon 7.2
  • EMC Isilon 8.0

NOTE: The space required depends on the configuration, the number of files, folders and shares scanned with explicit permissions, and the amount of activity processed.

NFS managed hosts require the UNIX module to be installed during the One Identity Manager installation and configuration process.

Resource activity collection is not supported for EMC Isilon NFS managed hosts.

EMC storage devices require additional configuration.

SharePoint

The following SharePoint versions are supported for scanning (local managed host):

  • SharePoint Server 2010
  • SharePoint Server 2013

100GB disk space on the SharePoint agent computer for data storage and scan post-processing activities.

NOTE: The space required depends the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.

8GB RAM for the SharePoint agent computer.

Agent is installed where the One Identity Manager service (job server) is running for the SharePoint farm.

We recommend installing the One Identity Manager service on a dedicated SharePoint 2010/2013 Application Server in the farm and not on a Web Front server which prevents extra load processing on that server.

Standalone farms are not supported.

Farms configured with only Local Users and Groups are not supported.

Cloud

The following cloud providers running on Office 365 are supported for scanning (remote managed host):

  • SharePoint Online
  • OneDrive for Business

Resource activity collection is not supported for Cloud managed hosts.

OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

DFS Root

Windows 2008 Active Directory DFS and higher

 

Data Governance Edition minimum permissions

The following table contains the permissions required to properly deploy Data Governance Edition.

Table 28: Required minimum permissions
Account Permission

System user (Active Directory account logged on to the computer)

AND

Manager user (Active Directory account running the Manager)

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators application role or the Data Governance/Access Managers application role.

NOTE: If the System user does not have the appropriate roles assigned, you will see the Data Governance Edition features in the Manager, but will encounter errors when attempting to perform Data Governance Edition-related tasks. If the Manager user does not have the appropriate roles assigned, you will not see the Data Governance Edition features in the Manager.

Service account assigned to a managed domain

Log On as a Service local user rights on the Data Governance server.

Local Administrator rights on Data Governance agent computers.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), additional rights are required.

SQL service account for connection with the Data Governance Resource Activity database

dbcreator server role is required to create the database during initial configuration of Data Governance Edition

db_owner role is required to work with the database

SQL service account for connection with One Identity Manager database

db_owner role for One Identity Manager database

Service account for an agent on Local Windows managed hosts

The agent runs under the Local System account. No additional rights are required.

Service account for an agent managing remote Windows managed hosts

Local Administrator rights on the managed host.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing SharePoint farms

Must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). This account also needs to be a member of the administrators group on the SharePoint server.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing NetApp filers

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must be a member of the local Administrators group on the NetApp filer in order to create FPolicy.

Must have permissions to access folders being scanned.

Service account for an agent managing EMC Isilon storage devices

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must have "run as root" permissions on the Isilon SMB share that has been selected as a managed path.

One Identity Manager service (job server) account used for scheduling Data Governance Edition reports

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators application role or the Data Governance/Access Managers application role.

Active Directory account used by the AppServer to establish communication between the Data Governance server and the Manager

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators and the Data Governance/Access Managers application roles.

NOTE: This account must be added as the AppServer pool identity in Internet Information Services (IIS) Manager. If the AppServer application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.

Data Governance Edition required ports

Note: For agent deployments, open the following file and printer sharing ports:

  • TCP 135
  • UDP 137
  • UDP 138
  • TCP 139
  • TCP 445
Table 29: Ports required for communication
Port Direction Description

8721

Incoming

TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell.

8722

Incoming

TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.

NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents.

IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter.

8723

Incoming

HTTP port used for communication with the One Identity Manager web server (/landing and /home pages).

18530 - 18630

Incoming

TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled.

Related Documents