Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management
About us

How to validate resource activity is making it to the Resource Activity database

Verifying resource activity is making it to the Resource Activity database

There are a number of ways, as described below, to verify that resource activity is being recorded properly:

  • At the agent level, on the agent host, in the agent instance directory, you can watch the "ResourceActivityStore_XYZ.sqlite" file increase in size.
  • For each aggregation interval, observe the creation of the ResourceActivityStore_*retired file. These files contain activity that will be forwarded to the Data Governance server.
  • At the Data Governance server level, check the DataGovernanceEdition.Service.exe.dlog file for a message similar to the one below which is logged when an agent sends activity to the Data Governance server (search for the words in bold):

    2016-07-2015:14:33:539 [16][INFO][SendSplitMessageResponses(179)] Sending UpdateResourceUsage in 1 parts.

  • In the Manager, compare the following agent statics in the Agents view:
    • Activity Enqueued: The number of resource activity records that have been queued and are waiting to get stored/aggregated in the Resource Activity store.
    • Activity Processed: The number of resource activity records that have been processed and stored in the Resource Activity store.
  • In the Manager, run the Resource Activity report:

    • In the Resource browser or Governed data overview, locate the target resource.
    • Select the target resource and select Resource activity report.
    • Specify the appropriate time range and click Finish to generate the report.
    • If the report lists the expected activities, activity is being correctly recorded.
  • In the Data Governance Edition Resource Activity database, check if there is any items in dbo.AuditUsage. If there is, activity is correctly being sent from the agent to the Data Governance server and then to the Data Governance Edition Resource Activity database.

QAM module tables

Data Governance Edition information is stored in the QAM module tables in One Identity Manager. This chapter provides some additional details regarding some of the commonly used QAM module components.

QAM tables

The following One Identity Manager database tables are used to store Data Governance Edition data.

Table 7: QAM module: Tables
Table name Description
QAMAgent

Contains the installed agents for all locally managed hosts and remote hosts. Includes the correlation to a managed host, current agent status, agent version, agent name and public key information.

Example:

Agent DGE-SERVER is a local agent monitoring the server DGE-SERVER. Current status is OK and current version is x.x.

QAMAgentEvent Stores the critical errors sent in by a running agent. You can view or clear critical errors through the Agents view in the Manager.
QAMAgentRoot

Contains the managed paths for all installed agents. Contains the responsible agent, the full path of the root, and the root type. This information is pushed to the agent configuration file as well.

Example:

\\dge-server\C$\Shares\Share1 is a folder managed path for agent DGE-SERVER.

QAMClassificationLevel

Stores data about the classification levels (pre-defined or customer-defined) available for classifying data.

QAMDfsTarget

Contains the DFS paths for all managed DFS hosts. Includes information pertaining to DFS targets, associating local paths on a given server to a DFS managed host: Local Path, Target Server, Target Share, DFS Path and DFS managed host.

Example:

DFS-Folder is a DFS target located on server X at local path Y associated with DFS managed host Z.

QAMDuG

Contains the resources under governance across all managed hosts, including the responsible managed host, resource type, security descriptor, paths, business ownership information, as well as whether the data is a point of interest, is published to the IT Shop, is stale, or is a backing folder for a share.

Example:

Share1 is an NTFS/Folder resource that is a point of interest, currently published to the IT Shop using Folder security, and owned by Gary. Last point of interest calculation occurred 15 minutes ago.

QAMHelper*

These tables help correlate accounts found in permissions, and therefore in QAMTrustee, to their identity, synchronized by One Identity Manager. These tables are also used by the web portal to map accounts and employees used to calculate perceived owners.

For example, it shows the correlation between an Active Directory user found in a security index on an agent to the Active Directory account synchronized within an Active Directory domain.

QAMLocalGroup Stores the local groups discovered and synchronized on a Windows computer by the local agent.
QAMLocalUser Stores the local users discovered and synchronized on a Windows computer by the local agent.
QAMLocalUserInLocalGroup Correlates the local user accounts in QAMLocalUsers with the groups they belong to in QAMLocalGroups.
QAMNode

Contains the installed managed hosts. The managed host information includes the host type, status, and agent configuration settings such as: file system activity settings, file system indexing settings, and file system scanning settings.

Example:

DGE-SERVER is a Windows Server, currently in OK status, with 256 total resources under governance, and 256 points of interest. The current agent configuration excludes x files and folders, synchronizes activity every 15 minutes under a five minute aggregation, and scans security index information once a day.

QAMOtherSIDInLocalGroup Stores Active Directory accounts found in local groups by a local agent that were not resolved in Active Directory. This links to Active Directory sync of unresolved SIDs.
QAMScannerInfo

Stores the agent scanner states.

For example, a scanner would be the Windows Computer, Service Identities, Local Groups, NTFS, SharePoint, NFS, and Cloud. Each of these "scans" the managed paths collecting security data.

QAMSecurityIndex

Contains direct access points for accounts that have been scanned by Data Governance agents, indicating the type of access that they have.

Examples:

  • Matt has folder access on Windows Server A according to Agent X
  • Rita has share access on Windows Server B according to Agent Y
QAMTrustee

Contains information for security accounts that have explicit ACL security. This table is closely paired with QAMSecurityIndex and contains the specific account information, such as the account's security identifier (SID).

Example:

Gary with SID 123, is a Domain User, and has a display value of Domain\Gary.

QAM views

The following One Identity Manager views (queries) retrieve Data Governance Edition resource activity and security information.

Table 8: QAM module: Views
View name Description
QAMResourceActivitySummary

Contains a summary view of who has generated activity events on what resources. The summary contains information about the trustee account, the managed host, and the activity the account generated on the resource.

Example:

Gary performed a delete operation on governed resource X located on managed host Y.

QAMResouceSecuritySummary

Contains a summary view of who has what security permissions on what resources. The summary contains information about the trustee account, the resource under governance, the managed host, and the access information that the account has on the resource.

Example:

Gary has AllowFullControlAccess on governed resource X located on managed host Y.

Related Documents