Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.2 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Data Governance service

The One Identity Manager Data Governance Edition Deployment Guide provides detailed steps explaining how to deploy the Data Governance service; the information provided here is intended to provide some additional information for those interested in the internal functions of this process and the Data Governance service.

Data Governance Edition deployment process

The deployment process for the Data Governance service includes the following:

  • The Data Governance installer deploys and configures the Data Governance service.
  • The Data Governance configuration wizard creates and initializes the Resource Activity database.
  • Connection strings to the One Identity Manager database and Resource Activity database are encrypted and stored in the registry on the Data Governance service machine.
  • The Data Governance service creates and publishes a Service Connection Point (SCP) in Active Directory so the Data Governance configuration wizard, server and agents can locate the Data Governance service.
  • Configuration parameters are set in the One Identity Manager database.
  • In the absence of One Identity Manager target system synchronization, the Data Governance service automatically harvests the forest topology, including:
    • Creating Employee records for all members found in each domain's Domain Admin group.
    • Creating an Employee record for the current account running the Data Governance configuration wizard.
    • Linking these accounts to the correct Data Governance application roles.

It is highly recommended that you use the Data Governance Configuration wizard to install the Data Governance service and Resource Activity database. If however, you need to install the Data Governance service to a different location other than the default location, you can use the Windows installer that is provided. For more information, see Manually deploying Data Governance service.

Data Governance service configuration

Data Governance service configuration settings are stored in one of the following places:

  • The Data Governance service contains settings in the DataGovernanceEdition.Service.exe.config file in the server directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server.

    For more information on the Data Governance service configuration file settings that can be configured, see Configurable configuration file settings.

  • Some Data Governance service settings can also be set in the Windows registry, under the following keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server
    • HKEY_CURRENT_USER\SOFTWARE\One Identity\Broadway\Client

    For more information on the Data Governance service registry settings that can be configured, see Data Governance service registry settings.

Data Governance service internal tasks

The following table lists the internal tasks that the Data Governance service performs, including the internal service name, a brief description of the task and the configuration variables that are available to customize the task.

Table 4: Data Governance service internal tasks
Internal service name Task description

Handles all resource access queries. This includes retrieving all trustees with access to a given resource, as well as all resources a given trustee has access to.


Handles the self-service requests initiated from the IT Shop. This includes identifying best fit groups based on resource and access requirements, retrieving group information, and getting or setting self-service configuration options.

Configuration settings:


Handles all aspects of agent lease management. This includes registering and unregistering agents, renewing leases, verifying agent connectivity, and retrieving agent information. The service manages lease renewal over a given period of time (configurable in the application configuration) by checking for expired agent leases and setting the agent states accordingly.

The Data Governance service uses this internal service to determine what agents are functioning. If the server does not receive a lease renewal from an agent in the expected time frame, the agent goes into the "Lease Expired" state. This indicates that the server is unable to receive information from the agent.

Configuration setting:


Synchronizes managed DFS host information into the One Identity Manager database. This process enumerates the DFS targets and stores the relevant information within the database. Synchronization is performed using the service account linked to the managed host being synchronized. The information is harvested on a regular bases, based on the configuration variable.

Configuration setting:

  • DfsDataSyncInterval: The interval that defines when a DFS synchronization occurs. Default: 1440 minutes (1 day)

Is used for getting and setting resource security, retrieving domain credentials, service account retrieval, SID and trustee resolution, and resource enumeration.


Is used for a number of services, including group expansion, domain retrieval, group searches, data model retrieval, and SID retrieval. In addition, this service maintains a cache of known managed domains and security information that is refreshed regularly based on configuration variables.

For group expansion, the service account for the managed domain is used; however if this fails, the account used for Active Directory synchronization is used instead. In this case, the account used for Active Directory synchronization should be granted log on as service rights to the Data Governance server.

Configuration settings:

  • SyncDomainPasswordInterval: The interval that defines when the managed domain and security information cache is refreshed. Default: 60 seconds

Provides the framework for processing messages received from deployed agents.

This is purely internal framework and there are no configuration parameters.


Is used for general infrastructure management. This includes actions such as triggering collection of data under governance and handling the steps required when a service is updated.

The service also contacts the agent to retrieve points of interest (POI) information on governed resources on a regular interval based on configuration variables.

Configuration settings:


Is used for managing jobs between the different Data Governance Edition internal services.

This is purely internal framework and there are no configuration parameters.


Provides an interface for managed domain information. This includes creating, querying and deleting managed domains, as well as validating service account access within a given domain.

This service also maintains a cache of managed domain information which includes the service account. Every three minutes this information is refreshed.


Provides managed host functionality for creating, updating, reinstalling and removing managed hosts. In addition, the service provides a framework for retrieving information about synchronized accounts, synchronized machines, synchronized SharePoint farms, and service accounts.

This service also provides functionality for retrieving, upgrading, restarting, adding, removing, registering, unregistering, leasing and updating agents, as well as retrieving agent logs and parsing agent metrics.


Exposes managed resource objects from the database layer. This includes creating, deleting, retrieving and updating managed resource types, managed group templates, group permissions, managed share root paths, managed resource domains, and name pattern resolvers.

This service also provides information about managed resources and their relationship with data under governance.

NOTE: The only public endpoints are PowerShell scripts for accessing and manipulating data for group templates. There are no internal processing and there are no configuration parameters used within this service.


Manages the core Data Governance Edition dependencies, by ensuring a valid database connection is established, updating deployment information, creating and maintaining Data Governance Edition's service connection point, and maintaining deployment information, such as server version.

Configuration setting:

  • MinimumSupportedModuleMigrationVersion: The minimum supported module migration version. If during installation, the new version is less than this value, the installation cannot occur. Default: Null

Registry settings:


Provides the framework for metric collection. Core metrics include POI metrics, agent communication metrics, and agent performance metrics. The frequency of metric collection is set using an entry in the application configuration file.

Configuration setting:


Provides functionality related to resource activity and resource ownership. Actions include retrieving resource and trustee activity, calculating and granting perceived ownership, and aggregating resource activity.

This internal task runs a synchronization every five minutes, which is not configurable. The task checks for "stale" entries in the QAMDuG table every five minutes after the Data Governance service starts.

The LastOwnerShipCalculation column in the QAMDuG table stores the last time the synchronization ran. An entry is considered "stale" if one of the following is found to be true:

  • The LastOwnerShipCalculation column is empty (null).


  • The LastOwnerShipCalculation value is older than 24 hours (configurable in PerceivedOwnershipCalcUpdatesRefreshIntervalMinutes setting in the Data Governance service configuration file).

This service updates the perceived owner and POIs for governed resources on a regular interval, configurable within the application configuration file.

Configuration setting:


Provides functionality related to resource expansion, governance and publication. Actions include placing and removing resources under governance, publishing and unpublishing resources to the IT Shop, performing resource searches, and performing resource enumeration.

All actions requiring service account credentials are performed using the server account for the targeted managed domain.


Exposes resource policy objects from the database layer and provides the framework for resource provisioning. This includes the ability to create, delete, query and update access templates, trustee templates and resource policies. In addition, this service allows for resource provisioning.

This internal service is for development purposes only.


Handles the updating of managed host states.

For a description of managed host states, see the One Identity Manager Data Governance Edition User Guide.


Handles actions regarding the Data Governance Edition service accounts. Actions include querying, creating, removing and validating service account credentials, and granting log on as a service rights to a given account.

This service is consumed by both PowerShell and the Manager.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating