Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Adding and configuring managed hosts

Different types of managed hosts behave differently. The following sections provide the steps to configure each type of managed host.

You can add the following host computers as a managed host to your Data Governance Edition deployment:

Related Topics

Managed host configuration settings

Adding a local managed host (Windows computer)

 NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add a local managed host to a Windows computer

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of Windows Computer.

  3. Select Manage host from the Tasks view or right-click menu.

    		 NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected on the Managed hosts view.
    2. Host Type: Select Local Windows Computer.

    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      		NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.

  5. By default, local agents scan all local fixed volumes (NTFS devices) on the host computer. To limit the amount of security data being scanned, use the Managed Paths page to specify the root of an NTFS directory to be scanned. Once you configure one or more managed paths, only those paths are scanned.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.

    3. On the Managed Paths Picker dialog, select the check box to the left of the directories to be scanned.

      		 NOTE: For local managed hosts, the Agent Selection field at the bottom of this dialog is pre-populated with the name of the selected target machine.
    4. Click OK.

    For more information, see Managed paths page.

  6. By default, local agents begin scanning immediately once deployed. Use the Security Scanning page to define a different scanning schedule for the agent.

    For example, to delay the scan to run during off peak hours:

    1. Open the Security Scanning page.
    2. Clear the Immediately scan on agent restart or when managed paths change check box.

    3. Use the Scan start time control to specify the desired time to perform the full scan.

      		 NOTE: The Scan start time is local agent time.

    Review the options at the bottom of the page to determine if the default security scanning behavior needs to be modified:

    • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.
    • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

    For more information, see Security Scanning page.

  7. By default, resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection on the target host.

    		IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    To configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:
      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:
      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day

    5. By default, certain well-known system accounts, file extensions and folders are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the accounts and objects to be excluded.

      		 NOTE: By default, the Data Governance agent excludes the run as account (LOCAL SYSTEM) from activity collection and aggregation.

    For more information, see Resource activity page.

  8. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy a Data Governance Edition agent on the local computer.

By default, the security scan begins immediately upon agent deployment. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Adding a Windows cluster / Windows computer as a remote managed host

You can add Windows servers and Windows clusters as managed hosts, with remote agents. However, you cannot collect resource activity for these types of remote managed hosts.

Note: Only Windows failover cluster configurations are supported.

NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add a Windows cluster or Windows computer managed host with a remote agent

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of Windows Computer.

  3. Select Manage host from the Tasks view or right-click menu.

    		 NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected on the Managed hosts view.
    2. Host Type: Select Windows Cluster / Remote Windows Computer.

    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      		NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.

  5. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target computer.

    3. Select the service account: Select a service account with sufficient permissions to access the target computer and the agent host.

      An agent requires a service account that has the rights to read security information on the remote host. Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click the Add button to add the agent to the agents list.

      		 TIP: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.

      For more information, see Agents page.

  6. Use the Managed Paths page to specify the roots of the NTFS directory tree to be scanned by the agent.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.

    3. On the Managed Paths Picker dialog, click the check box to the left of a directory to add it to the managed paths list.

      		 NOTE: When using multiple agents to monitor a remote managed host, select an agent from the Agent Selection drop-down after selecting the managed path(s) to be monitored. Repeat this process for all of the other agents, selecting different managed paths for each agent. The Scanning Agent field in the Managed Paths Selection grid displays the agent selected to scan the different paths.

    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  7. By default, remote agents scan daily at 2:00 A.M. Use the Security Scanning tab to change the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the check boxes at the bottom of the page to modify the default security scanning behavior:
      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.
      • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

    For more information, see Security Scanning page.

  8. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Adding a generic managed host

You can remotely scan managed hosts (other than those on the supported list) by adding a “generic” managed host. This type of managed host supports scheduled scans only and does not support real-time security updates or resource activity collection.

Note: These hosts must be accessible through Windows shares. To determine if a host can be scanned for security information, you can use the Filesystem Statistics Utility (QAM.Server.FileSystemStatistics.exe) that is included with a Data Governance Edition installation. It scans a file system, enumerates its contents, and provides statistics on the files and folders contained on the specified data roots.

NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add a generic managed host

  1. In the Navigation view, select Data Governance | Managed hosts.

    NOTE: If you do not see the host you want to manage listed, edit the Data Governance service configuration file (DataGovernanceEdition.Service.exe.config) as follows:

    • Locate the customHostParameters section.

      <customHostParameters>

          <additionalOperatingSystems>

              <!--<operatingSystem value="MyOperatingSystem"/>-->

          </additionalOperatingSystems>

      </customHostParameters>

    • Remove the commented operatingSystem line and replace it with a line that specifies the operating system value for the host you want to manage. That is, the string found in the ADSMachine.OperatingSystem field. For example, if the host you want to manage has the operating system field "MyOS", edit this setting as follows:

      <customHostParameters>

          <additionalOperatingSystems>

              <operatingSystem value="MyOS"/>

          </additionalOperatingSystems>

      </customHostParameters>

      This will include all machines that contain the string "MyOS" in its operating system field.

    • If you want to specify an exact match, include the isExact parameter as follows:

      <customHostParameters>

          <additionalOperatingSystems>

              <operatingSystem value="MyOS" isExact="true"/>

          </additionalOperatingSystems>

      </customHostParameters>

    All of the hosts found using this filter will now appear in the Managed Host view as Unknown host type.

  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of Unknown.

  3. Select Manage host from the Tasks view or right-click menu.

    		NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected in the Managed hosts view.
    2. Host Type: Select Generic Host Type.

    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example C:\Mypath) and cannot exceed 512 characters.

      Note: By default, this field displays Use default install directory and the agent is installed in the Data Governance Server installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

      If there is an existing agent, you cannot install another agent with a different installation directory. All agents must be installed in the same directory.

    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.

  5. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target computer.

    3. Select the service account: Select a service account with sufficient permissions to access the target computer and the agent host.

      An agent requires a service account that has the rights to read security information on the remote host. Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click the Add button to add the agent to the agents list.

      		 TIP: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.

      For more information, see Agents page.

  6. Use the Managed Paths page to specify the roots of the NTFS directory tree to be scanned by the agent.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.

    3. On the Managed Paths Picker dialog, click the check box to the left of a directory to add it to the managed paths list.

      		 NOTE: When using multiple agents to monitor a remote managed host, select an agent from the Agent Selection drop-down after selecting the managed path(s) to be monitored. Repeat this process for all of the other agents, selecting different managed paths for each agent. The Scanning Agent field in the Managed Paths Selection grid displays the agent selected to scan the different paths.

    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  7. By default, remote agents scan daily at 2:00 A.M. Use the Security Scanning page to change the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the check boxes at the bottom of the page to modify the default security scanning behavior:
      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.

      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.

    For more information, see Security Scanning page.

  8. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Related Documents