Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.1.5 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Get-QADAccount

Retrieves Active Directory objects from One Identity Manager and QAM tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser, and QAMLocalGroup.

Syntax:

Get-QADAccount [-Name] [<String>]] [-Domain] [<String>]] [<CommonParameters>]

Table 196: Parameters
Parameter Description
Name

(Optional) Specify the name of the Active Directory object to be retrieved.

If this parameter is not specified, all Active Directory objects are retrieved.

Domain

(Optional) Specify the domain to be queried to locate the Active Directory objects.

If this parameter is not specified, all domains are included in the query.

Examples:
Table 197: Examples
Example Description
Get-QADAccount Retrieves information for all Active Directory objects on all domains in your Data Governance Edition deployment.
Get-QADAccount -Name Administrator -Domain MyDomain

Retrieves Active Directory information for account Administrator in domain MyDomain.

Details retrieved:
Table 198: Details retrieved
Detail Description
DomainInfo

DomainInfo is an array that can be expanded to display the following information about the domain the account belongs to:

  • DnsDomainName
  • NetbiosDomainName
  • Type
AccountSid The security identifier (SID) assigned to the Active Directory account.
SamAccountName If available, the login name for the account.
DistinquishedName The distinguished name of the Active Directory account.
Name The display name of the Active Directory account.
AccountType The type of account.
ErrorMessage If available, error messages associated with the Active Directory account.

Get-QGroupMembers

Retrieves a list of all the members of a group, including members of child groups. This helps you assess how a specific account has gained access to a resource.

Syntax:

Get-QGroupMembers [-GroupSid] <String> [[-Domain] [<String>]] [<CommonParameters>]

Table 199: Parameters
Parameter Description
GroupSid Specify the security identifier, in SDDL format, of the group whose membership you are interested in.
Domain

(Optional) Specify the domain containing the group whose membership you are interested in.

NOTE: This value will only be used if the domain is valid and multiple instances of this SID exist (well-known SIDs).

Examples:
Table 200: Examples
Example Description
Get-QGroupMembers -GroupSid S-1-5-500 -Domain vmset6 Gets the group members from the specified domain.
Detailed retrieved:
Table 201: Details retrieved
Detail Description
ResultList

ResultList is an array that can be expanded to show the following information for the members of the given group:

  • ID
  • ParentID
  • DNPrefix
  • SamAccountName
  • SamAccountType
  • RID
  • WellKnown
  • GroupType
  • ObjectClass
  • RedundantBranch
IssueList IssuesList is an array that can be expanded to view any issues encountered.

Get-QIndexedTrustees

Retrieves all of the entries from the QAMTrustees table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.

Syntax:

Get-QIndexedTrustees [-TrusteeName [<String>]] [-Domain [<String>]] [<CommonParameters>]

Table 202: Parameters
Parameter Description
TrusteeName

(Optional) Specify the name of the trustee to be searched.

If this parameter is not specified, all indexed trustees are returned.

Domain

(Optional) Specify the domain of the trustee to be searched.

If this parameter is not specified, all domains are queried to locate indexed trustees.

Examples:
Table 203: Examples
Example Description
Get-QIndexedTrustees -TrusteeName Administrator -Domain MyDomain

Retrieves all indexed accounts from the QAMTrustees table where the account name is Administrator and the domain is MyDomain.

Details retrieved:
Table 204: Details retrieved
Detail Description
Sid The security identifier (SID) assigned to the account.
PreWindows2000Name The logon name (Pre-Windows 2000) of the Active Directory account.
Domain The name of the domain where the account resides.
TrusteeType The type of trustee (account).

Resource access management

A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.

The following commands are available to you to manage resource access. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 205: Resource access management commands

Use this command

If you want to

Export-QResourceAccess

Export the security information on a selected resource.

For more information, see Export-QResourceAccess.

Get-QChildResources

View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares.

In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.

For more information, see Get-QChildResources.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QFileSystemSearchResults

Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once.

For more information, see Get-QFileSystemSearchResults.

Get-QHostResourceActivities

Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.

For more information, see Get-QHostResourceActivities.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QPerceivedOwners

Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.

NOTE: The perceived owner for data is calculated from the resource activity history or security information collected by Data Governance Edition. Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database.

For more information, see Get-QPerceivedOwners.

Get-QResourceAccess

Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent.

For more information, see Get-QResourceAccess.

Get-QResourceActivity

Retrieve the activity associated with a resource.

For more information, see Get-QResourceActivity.

NOTE: Resource activity collection (and therefore this cmdlet) is not supported for the following host types:

  • Windows Cluster/Remote Windows Computer
  • Generic Host Type
  • EMC Isilon NFS Device
  • SharePoint Online
  • OneDrive for Business

Get-QResourceSecurity

View the security on a given resource in the SSDL format.

For more information, see Get-QResourceSecurity.

Set-QResourceSecurity

Set security on a given resource.

NOTE: The existing security descriptor is completely replaced.

For more information, see Set-QResourceSecurity.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating