Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Adding EMC CIFS device as a managed host

Adding an EMC CIFS device as a managed host

You can add EMC storage devices as managed hosts, with remote agents. This procedure covers NAS devices running EMC Celerra/VNX or EMC Isilon operating systems with the CIFS file system protocol enabled. Please see Additional configuration for an EMC storage device before adding an EMC managed host.

NOTE: You can configure one target host computer at a time or multiple host computers (of the same type) at once.

To add an EMC CIFS device as a managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view (right pane), select a host with the status of Not Managed and a host type of EMC Celerra/VNX Device or EMC Isilon Device.
  3. Select Manage host from the Tasks view or right-click menu.

    NOTE: If you selected multiple host computers with the status of Not Managed and of the same host type, use the Manage multiple hosts task or right-click menu command. The settings specified on the Managed Host Settings dialog will apply to all selected host computers.

    The Managed Host Settings dialog appears.

    NOTE: If you select a host computer on a domain that was not previously identified as a managed domain, the Domain Credentials dialog appears. Click the Set button to supply the credentials of an Active Directory user with administrative rights on the selected domain. Assigning the credentials for the domain registers the user as a Data Governance Edition service account, links the service account to the domain and adds it to the managed domains list.

    Once the domain credentials are set, the Managed Host Settings dialog appears.

  4. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This is a read-only field displaying the name of the host computer selected in the Managed hosts view.
    2. Host Type: This is a read-only field displaying the type of host computer selected in the Managed hosts view.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keyword: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  5. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target computer.
    3. Select the service account: Select a service account with sufficient permissions to access the target computer and the agent host.

      An agent requires a service account that has the rights to read security information on the remote host. Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click the Add button to add the agent to the agents list.

      TIP: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.

      Note: If you are collecting resource activity (Collect and aggregate events on the Resource Activity page) or real-time security updates (Collect activity for real-time security updates on the Security Scanning page), you can only specify one agent to scan the EMC storage device.

      For more information, see Agents page.

  6. Use the Managed Paths page to specify the roots of the NTFS directory trees to be scanned by the agent.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. On the Managed Paths Picker dialog, click the check box to the left of a directory to add it to the managed paths list.

      NOTE: When using multiple agents to monitor a remote managed host, select an agent from the Agent Selection drop-down after selecting the managed path(s) to be monitored. Repeat this process for all of the other agents, selecting different managed paths for each agent. The Scanning Agent field in the Managed Paths Selection grid displays the agent selected to scan the different paths.
    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  7. By default, remote agents scan daily at 2:00 A.M. Use the Security Scanning page to change the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.
      • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

        Note: If you enable Collect activity for real-time security updates, ensure your EMC device is configured for auditing. For more information, see Additional configuration for an EMC storage device.

    For more information, see Security Scanning page.

  8. By default, resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection on the target host.

    IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    To configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:

      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:

      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day
    5. By default, certain well-known system accounts, file extensions and folders are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the accounts and objects to be excluded.

      Note: By default, the Data Governance agent excludes the domain service account from activity collection and aggregation.

    Use the View/Update cepp.conf button to check the status or modify the cepp.conf file. Selecting this button displays a Logon Credentials dialog allowing you to enter the IP address or hostname and credentials of the EMC Celerra/VNX control station and select the data mover that holds the managed paths to be scanned.

    • Once the cepp.conf is retrieved and displayed, you can edit the Proposed cepp.conf file (lower pane). Select the Update File button to save your edits, which will be sent to the EMC device.

      Note: The cepp service will be stopped and restarted for the selected data mover to apply the new cepp.conf file.

    • Use the Check Status button to check the status of the current cepp.conf file.

    For more information, see Resource activity page.

  9. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Adding an NFS managed host

Data Governance Edition supports the scanning of NAS devices with NFS file system protocol enabled, including NetApp 7-Mode, NetApp Cluster and EMC Isilon devices.

NOTE: Before adding an NFS managed host, ensure the following configuration steps have been completed:

  • During the One Identity Manager installation process and Data Governance configuration process, add the optional Unix module.
  • During the One Identity Manager Data Governance Edition installation process, ensure the One Identity Manager service (job server) is configured properly and that the UNIX connector server function is selected.
  • Run the One Identity Manager Synchronization Editor to set up a synchronization project to load your UNIX objects into the One Identity Manager database.

For EMC Isilon NFS managed hosts:

  • On the Data Governance server and all agent servers, you must have a Trusted Root Certificate Authority certificate to validate the Isilon server's HTTP certificate. See the EMC Isilon Web Administration Guide for details.
  • The service account for an agent managing EMC Isilon storage devices, must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

For NetApp 7-Mode NFS managed hosts (does NOT apply to Cluster Mode devices):

  • The service account for an agent managing NetApp 7-Mode filers must be a member of the local Administrators group on the NetApp filer in order to create FPolicy. This account must also have permissions to access folders being scanned.
  • Monitoring real-time security updates and collecting resource activity requires FPolicy; and in order to use FPolicy, the CIFS file system protocol must be enabled for NetApp 7-Mode devices.

Adding a NFS managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. From the Managed hosts view, select Manage NFS host from the Tasks view or right-click menu.

    The Managed Host Settings dialog appears.

  3. At the top of the dialog, specify the following information:
    1. Managed Host: Enter the IP address or the fully qualified domain name of the NFS host computer to be managed.
    2. Host Type: Select NetApp Cluster NFS Device, NetApp 7-Mode NFS Device, or EMC Isilon NFS Device.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      Note: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).

    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  4. Open the NIS Host page to specify the NIS server whose users and groups have been synchronized with One Identity Manager.
  5. Open the Credentials page and enter the credentials of a user with access to the target NAS host computer:
    1. User Name: Enter the name of a user account with access to the target NAS host computer.
    2. Password: Enter the password associated with the user account entered above.
    3. Port: Enter the destination port to be used for communication between the agent and target NAS host computer.

      • NetApp filers: The default value is 443.
      • EMC devices: The default value is 8080.

    Click the Test API Credentials button to verify valid credentials have been entered.

    For more information, see Credentials page.

  6. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target computer.
    3. Select the service account: Select a service account with sufficient permissions on the selected agent host.

      Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click Add to add the agent to the agents list.

      TIP: For remote managed hosts, add only one remote agent during the host's initial deployment. You can add additional remote agents later using the Edit host settings task after the managed host is deployed.

    For more information, see Agents page.

  7. Use the Managed Paths page to specify the directories to be scanned by the agent to create and maintain the security index.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. In the Managed Paths Picker dialog, select the check box to the left of the directories to be scanned.

      NOTE: When using multiple agents to monitor a remote managed host, select an agent from the Agent Selection drop-down after selecting the managed path(s) to be monitored. Repeat this process for all of the other agents, selecting different managed paths for each agent. The Scanning Agent field in the Managed Paths Selection grid displays the agent selected to scan the different paths.
    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  8. By default, remote agents scan daily at 2:00 A.M. Use the Security Scanning tab to change the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Review the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Collect activity for real-time security updates: Select this check box to watch for changes to the structure and security of the file system on the target managed host and apply them to the scanned data.

        Note: Collecting real-time security updates is not available for EMC Isilon NFS devices.

        NOTE: For NetApp 7-Mode managed hosts, real-time security updates and resource activity collection requires FPolicy. In order to use FPolicy, CIFS file system protocol must be enabled.

    For more information, see Security Scanning page.

  9. By default, resource activity is not collected. Use the Resource Activity page to enable and configure resource activity collection on the target host.

    IMPORTANT: Collecting resource activity on your managed hosts impacts network usage and increases the load on the database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation window is important to limit some of this load. Carefully plan out which resources you want to collect activity on and enable resource activity collection only on those resources.

    Note: Collecting resource activity is not available for EMC Isilon NFS devices.

    To enable and configure resource activity collection and aggregation:

    1. Open the Resource Activity page.
    2. Select the Collect and aggregate events option.
    3. Select the type of events to be collected:

      • Security change
      • Create
      • Delete
      • Rename
      • Write
      • Read (disabled by default)
    4. Use the Aggregation control to set the time frame to be used to consolidate similar events. Valid aggregation intervals are:

      • 5 minutes
      • 1 hour
      • 8 hours (default)
      • 1 day
    5. By default, certain file extensions and folders are excluded from the resource activity collection. To modify the exclusion list, click the Resource Activity Exclusions button to specify the objects to be excluded.

    For more information, see Resource activity page.

  10. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections and deploy the managed host.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the folders and shares on the target managed host using the Resource browser. Double-click a managed host in the Managed hosts view to launch the Resource browser.

Adding a Cloud managed host

Data Governance Edition supports the scanning of folders hosted on SharePoint Online and OneDrive for Business.

To add a cloud managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view, select Manage Cloud host from the Tasks view or right-click menu.

    The Managed Host Settings dialog appears.

  3. At the top of the Managed Host Settings dialog, specify the following information:
    1. Managed Host: This field will remain blank.
    2. Host Type: Select the type of cloud provider: SharePoint Online or OneDrive for Business.
    3. Agent Install Path: (Optional) Use this field to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.

      NOTE: By default, this field displays Use default install directory and the agent is installed in the Data Governance agent services installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services).
    4. Keywords: (Optional) Enter a keyword which can be displayed and used to group managed hosts in the Managed hosts view.
  4. On the Cloud Provider page, enter your Office 365 domain and the administrator account login credentials to be used to authenticate with the Data Governance Edition API Cloud proxy.

    Note: Data Governance Edition only supports one Office 365 domain per cloud provider at this time. That is, you can deploy only one managed host for the SharePoint Online administrator account and one managed host for the OneDrive for Business administrator account. Data Governance Edition does not currently block you from deploying a second SharePoint Online or OneDrive for Business managed host; however, it will not work.

    Note: You must use a separate administrator account for this purpose. This administrator account must be, or have equal access as, a SharePoint Online Administrator. Each site will be modified to list this account as a Site Collection Administrator for the site. This provides the account with access to the site's contents.

    1. <DomainName>.onmicrosoft.com: Enter the name of the Office 365 domain. For example, enter MyDomain as the domain name.
    2. Email: Enter the email address of the administrator account to be used. For example: Administrator@MyDomain.onmicrosoft.com.
    3. Password: Enter the password associated with the specified email.
    4. Click Continue.

      Clicking the Continue button redirects you to Microsoft to sign in to your account and grant access to Office 365 data.

    5. Re-enter the password associated with the specified email account.
    6. Click Sign In.

      An additional screen describing the permissions required by the Data Governance Edition API cloud proxy are displayed.

    7. Click Accept.

      The Cloud Provider page now displays the account being used to authenticate with the Data Governance Edition API cloud proxy.

  5. Use the Agents page to select the remote agent and service account to be used to scan the target host.

    Note: You can only specify one agent to scan a cloud host.

    To add a remote agent:

    1. Open the Agents page.
    2. Select the agent: Select the agent host computer to be used to scan the target managed host.
    3. Select the service account: Select a service account with sufficient permissions on the selected agent host.

      Only previously configured service accounts that are registered with Data Governance Edition are available for selection. For more information, see Readying a service account and domains for deployment.

    4. Click Add to add the agent to the agents list.

    For more information, see Agents page.

  6. Use the Managed Paths page to specify the folders under the Documents site to be to be scanned by the agent to create and maintain the security index.

    Note: OneDrive for Business support is limited to the Documents folder for the Administrator account. Therefore, all managed paths are selected within the scope of the Administrator's Documents folder.

    To add managed paths:

    1. Open the Managed Paths page.
    2. Click the Add button.
    3. On the Managed Paths Picker dialog, click the check box to the left of the folder(s) to be scanned.

      TIP: A check box appears to the left of the folders that can be selected. Click the expansion box to the left of a container to expand it and navigate to the folders available for scanning.

    4. Click OK to save your selections and close the dialog.

    The selected paths appear on the Managed Paths page.

    For more information, see Managed paths page.

  7. By default, remote agents scan cloud-based managed hosts daily at 2:00 A.M. Use the Security Scanning page to set the time and frequency with which the agent scans the target computer.

    To modify the scanning schedule and settings:

    1. Open the Security Scanning page.
    2. Use the controls in the Scanning Schedule pane to define the time and frequency of the agent scans.
    3. Use the options at the bottom of the page to modify the default security scanning behavior:

      • Immediately scan on agent restart or when managed paths change: Select this check box to perform a full scan whenever the agent restarts or there are changes made to the managed paths.
      • Ignore all files and only store folder security data: Clear this check box if you want to include file security data in the security index.

    For more information, see Security Scanning page.

  8. Click the OK button at the bottom of the Managed Host Settings dialog to save your selections.

Scanning of the specified managed paths begins on the configured schedule. Once the managed host is successfully added (Status is Managed), you are able to see and manage security information for the resources on the target managed host using the Resource browser. Double-click the managed host in the Managed hosts view to launch the Resource browser

Managed host configuration options

Managed host configuration settings

Managed hosts must be properly configured for security scanning (and resource activity collection, if applicable) to begin. An agent must be configured to communicate with the server and gather resource information. Until this is done, no security information will be stored or indexed for this computer. Agents are configured when you add or edit a managed host.

  • Real-time security updates in the context of Data Governance Edition refers to the monitoring of changes to the file system caused by create, delete, and rename operations, as well as DACL, SACL and Owner changes, in order to maintain the security index. These real-time security updates are not monitored by default, but can be configured on the Security Scanning page of the Managed Host Settings dialog.

    Note: Enabling real-time security updates for NAS devices requires additional configuration on the NAS device itself. For more information, see Additional configuration for an EMC storage device and Additional configuration for NetApp filers .

  • When enabled, resource activity is collected in real time, compressed, and then stored in the Data Governance Resource Activity database. Historical activity data can then be used to calculate a resource's perceived owner and to generate activity-related reports. Use the Resource Activity page of the Managed Host Settings dialog to enable and configure resource activity collection and aggregation.
  • Managed paths will be scanned for security access information and if enabled, for collecting resource activity.

The available configuration settings vary depending on the type of managed host, as shown in the following table. Yes indicates that the settings can be configured.

Table 44: Configurable managed host settings
Managed host type Resource activity Real-time security updates Security scanning Managed paths Service accounts
Local Windows Computer

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

By default, scanning starts immediately once an agent is deployed.

Yes

By default, all NTFS drives are scanned if no managed paths are specified.

No service account is required as the agent runs as the Local System.

Windows Cluster / Remote Windows Computer N/A

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with Local Administrator rights on the managed host. The agent scanning the host runs under the service account.

NetApp 7-Mode and Cluster-Mode CIFS Devices

NetApp 7-Mode and Cluster Mode NFS Devices

Yes

Not collected by default.

Requires FPolicy

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be a member of the local Administrators group on the NetApp 7-Mode filer in order to create FPolicy. This account must also have permissions to access folders being scanned.

EMC CIFS Devices

Yes

Not collected by default.

Yes

Not monitored by default.

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

The service account for an agent managing EMC Isilon storage devices, must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

EMC Isilon NFS Devices

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must have "run as root" permissions on the Isilon SMB share to be managed (that is, selected as a managed path).

SharePoint Farm

Yes

Not collected by default.

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account; must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)); must be a member of the administrators group on SharePoint server. The agent scanning the host runs under the service account.

Cloud (for example, SharePoint Online)

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account which becomes the agent run as account. This account is not used to connect to the Cloud provider.

Generic

N/A

N/A

Yes

Scanning starts on a configured schedule.

By default, every day of the week at 2:00 A.M.

Yes

Managed paths must be defined for scanning to occur.

Requires a service account with required permissions. The agent scanning the host runs under the service account.

Distributed File System

Yes

Not collected by default.

N/A

N/A

N/A

N/A

Related Topics

Managed host settings dialog

Editing managed host settings

Customizing default host settings

Related Documents