Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Adding a Distributed File System (DFS) root managed host

Adding a DFS root enables you to view and manage the access on resources that are physically distributed throughout your network.

TIP: As of Data Governance Edition version 7.0.1, you can perform additional managed host tasks against DFS links, such as:

  • Target existing reports, including the Resource Access and Resource Activity reports
  • Calculate perceived owners
  • Place a DFS link under governance; adding the DFS link to the Governed data view and making the usual menu options available
  • Publish a DFS link to the IT Shop; making it available to others through a resource access request

Once added, the Data Governance server periodically synchronizes the DFS structure into the One Identity Manager database making the DFS path available within the Resource browser. You are able to quickly see where all the data has been replicated throughout your network.

This information is also available within the resource access, resource activity, and account activity reports if the underlying resource is being scanned on another activity enabled host.

NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.

Note: By default, the Data Governance server synchronizes DFS every 24 hours, you can force an immediate synchronization using Windows PowerShell or you can alter the synchronization interval through a configuration file setting.

To force an immediate DFS synchronization, run the following PowerShell cmdlet:

Trigger-QDfsSync [-ManagedHostID] <String> [<CommonParameters>]

You must specify the ID (GUID format) of the DFS managed host to be synchronized. To synchronize all of your DFS managed hosts, set the -ManagedHostId to All.

To change the default synchronization interval, add or modify the following setting in DataGovernanceEdition.Service.exe.config file (which is located in the Data Governance server installation directory):

<add key="DFSDataSyncInterval" value="1440"/>

The value specified is interpreted as minutes. If this value is not present, the default is 24 hours.

To add a DFS root managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. From the Managed hosts view (right pane), select Manage DFS host from the Tasks view or right-click menu.
  3. On the DFS Managed Host Settings dialog, select the following information:

    • DFS Domain: Select the DFS domain.
    • DFS Root: Click the Select Root button to display a list of available DFS roots within the selected domain. Select a root from the list and click OK.

    Click OK to save your selections and close the dialog.

  4. Back in the Manager, click the Save tool bar button to add the DFS root managed host.

DFS managed host settings dialog

Use the DFS managed host settings dialog to specify the DFS domain and root to be managed by Data Governance Edition. This dialog appears when you select the Manage DFS host task from the Managed host view in the Manager.

This dialog contains the following controls:

Table 43: DFS managed host settings dialog: Controls
Controls Description
DFS Domain Select the DFS domain.
DFS Root Specify the DFS root (namespace) to be managed. Click the Select Root button to select from a list of available DFS roots.
Select Root Click the Select Root button to display a list of available DFS roots within the selected domain. Select a root from the list and click OK.
OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Adding a SharePoint managed host

Adding a SharePoint farm managed host

SharePoint farms are similar to remote managed hosts in that they require an associated service account, even though they are installed locally on a SharePoint server. You have the option of selectively including and excluding objects to be scanned by its agent.

NOTE: Before adding a SharePoint managed host, ensure that the following configuration steps have been completed:

  • Install a One Identity Manager service (job server) on a dedicated SharePoint Application Server in the SharePoint farms to be monitored. Ensure that the One Identity Manager service account is running as the SharePoint farm account (same account that is used to run the SharePoint timer service).
  • On the Data Governance server, run the One Identity Manager Synchronization Editor to set up a synchronization project to load your Active Directory objects into the One Identity Manager database. For more information, see the One Identity Manager Administration Guide for Connecting to Active Directory.
  • On the SharePoint farm server, run the One Identity Manager Synchronization Editor to set up a synchronization project to load your SharePoint objects into the One Identity Manager database. For more information, see the One Identity Manager Administration Guide for Connecting to SharePoint.

Once the SharePoint synchronization project has completed, the Managed hosts view is updated to include any SharePoint farms that are available for scanning.

To add a SharePoint farm as a managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of SharePoint Farm.
  3. Select Manage host from the Tasks view or right-click menu.

    The Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected in the Managed hosts view.
    2. Host Type: This is a read-only field displaying the type of host computer selected in the Managed hosts view.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  5. Use the Agents page to select the service account to be used to access the SharePoint farm.

    The service account must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). The SharePoint farm account also needs to be added to the local Administrators group on the SharePoint server.

    For more information, see Agents page.

  6. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.
  7. Back on the Managed hosts view, select the newly deployed SharePoint managed host, and select the Edit host settings task or right-click command.

    The Managed Host Settings dialog appears allowing you to configure the additional settings required for a SharePoint managed host.

  8. Use the Managed Paths page to specify the point within your SharePoint farm hierarchy to begin scanning.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. On the Managed Paths Picker dialog, click the check box to the left of the component within your SharePoint farm hierarchy to be scanned.

    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths dialog.

    For more information, see Managed paths page.

  9. By default, SharePoint agents scan daily at 2:00 A.M. Use the Security Scanning page to set the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.

    For more information, see Security Scanning page.

  10. By default resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection and aggregation.

    Note: To gather and report on resource activity in SharePoint, ensure that SharePoint native auditing is configured for any resources of interest. For more information, see Configure SharePoint to track resource activity.

    IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    To configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:

      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:

      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day
    5. By default, certain well-known accounts are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the accounts to be excluded.

      Note: The agent service account is not included in this exclusion list by default. You will need to add that manually for SharePoint managed hosts.

    For more information, see Resource activity page.

  11. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the SharePoint resources on the target managed host using the Resource browser. Double-click the managed host in the Managed hosts view to launch the Resource browser

Adding NetApp CIFS device as a managed host

Adding a NetApp CIFS device as a managed host

You can add supported NetApp storage devices as managed hosts, with remote agents. This procedure covers NetApp 7-Mode devices and NetApp Cluster-Mode devices running OnTap with the CIFS file system protocol enabled. Please see Additional configuration for NetApp filers before adding a NetApp managed host.

NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add a NetApp CIFS device as a managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of NetApp OnTap 7 Mode CIFS Device or NetApp OnTap Cluster Mode CIFS Device.
  3. Select Manage host from the Tasks view or right-click menu.

    NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected in the Managed hosts view.
    2. Host Type: This is a read-only field displaying the type of host computer selected in the Managed hosts view.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keyword: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  5. For NetApp OnTap Cluster Mode CIFS managed hosts, use the Credentials page to enter the credentials of a user with access to the target NAS host computer:
    1. User Name: Enter the name of a user account with access to the target NAS host computer.

      Note: The user must have the "ontapi" User Login Method application.

    2. Password: Enter the password associated with the user account entered above.
    3. Port: Enter the destination port to be used for communication between the agent and target NAS host computer. The default value is 443.
    4. Host EndPoint: (Optional) Enter the API endpoint (FQDN, host name or IP address) for the NetApp Cluster Mode connection.

      NOTE: The default is to use the FQDN of the targeted host. You would only use this setting if the API connection needs to be specified as something other than the FQDN of the targeted host.
    5. Click the Test API Credentials button to verify valid credentials have been entered.

  6. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target computer.
    3. Select the service account: Select a service account with sufficient permissions to access the target computer and the agent host.

      An agent requires a service account that has the rights to read security information on the remote host. Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click the Add button to add the agent to the agents list.

      TIP: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.

      For more information, see Agents page.

  7. Use the Managed Paths page to specify the roots of the NTFS directory tree to be scanned by the agent.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. On the Managed Paths Picker dialog, click the check box to the left of a directory to add it to the managed paths list.

      NOTE: When using multiple agents to monitor a remote managed host, select an agent from the Agent Selection drop-down after selecting the managed path(s) to be monitored. Repeat this process for all of the other agents, selecting different managed paths for each agent. The Scanning Agent field in the Managed Paths Selection grid displays the agent selected to scan the different paths.
    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  8. By default, remote agents scan daily at 2:00 A.M. Use the Security Scanning page to change the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.
      • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

    For more information, see Security Scanning page.

  9. By default, resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection on the target host.

    IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    To configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:

      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:

      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day
    5. By default, certain well-known system accounts, file extensions and folders are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the accounts and objects to be excluded.

      Note: By default, the Data Governance agent excludes the domain service account from activity collection and aggregation.

    For more information, see Resource activity page.

  10. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Related Documents