Use the Security Scanning page on the Managed Host Settings dialog to define when an agent is to perform the initial security scan and when to watch for changes to the structure and security of the file system. Where possible, schedule the scan to low peak hours to avoid heavy network traffic.
The default behavior for security scanning is different depending on the type of agent deployed:
- Local agents: By default, local agents begin scanning immediately when the agent is deployed. Subsequent scans occur on the configured schedule, which is daily at 2:00 A.M. by default.
- Remote agents: Remote agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.
- SharePoint farm agents: SharePoint farm agents scan the target computer on a configured schedule. By default, scans are daily starting at 2:00 A.M.
You can modify the scan schedule and define the time and frequency with which the agent scans the target computer using the options available on the Security Scanning page. In addition to defining the security scan schedule, you can specify whether to ignore files and only store folder security data, as well as continuously monitor the file system and apply real-time updates to scanned security data.
Note: The schedule times for security scanning are based on the agent's local time.
Table 23: Security scanning page: Controls and settings
| Scanning Schedule |
Use the options in the Scanning Schedule pane to define the frequency at which the agent performs a full security scan on the target managed host.
For remote managed hosts and SharePoint managed hosts, managed paths must be defined for scanning to occur. For more information, see Managed paths page. |
|
Scan start time |
Specifies the local time of day, with respect to the machine on which the agent is running, when the security scan is to start. The default start time is 2:00:00 AM. To change this time, use the arrow controls to specify a new time.
When the Immediately scan on agent restart or when managed paths change option is selected, the scan start time is ignore for the initial scan. |
|
Run Daily |
Select this option to scan the target computer on a daily schedule. Use the days of the week check boxes to define when the scan will occur during the week and the Scan start time field to specify the time the daily scan is to begin.
- Days of the week: Specifies the days of the week to be included/excluded from the daily run. All days of the week are selected by default. Click the corresponding day check box to clear the check box and exclude that day from the daily schedule.
For all agents, this option is selected by default along with a scan start time of 2:00 A.M. However, since local agents also have the Immediately scan on agent restart or when managed paths change option selected by default, the initial scan starts immediately when a local agent is deployed. This daily schedule is then used for subsequent scans by the agent. For remote and SharePoint agents, this daily schedule is used for the initial and subsequent scans. |
|
Run on an interval |
Select this option to scan the target computer on an hourly interval instead of a daily schedule. Selecting this option enables the Every control to specify the interval to be used.
- Every: Specifies the hour interval to be used. Every 4 hours is specified by default. Click the arrow controls to select a different hour interval.
When using the Run on an interval option, it is possible to select a frequency such that the agent is still busy completing the last scan when the next scan should start. In this case, the scan that could not start on time is skipped and the next scan starts as normal. |
|
Run once |
Select this option to schedule a single security scan of the agent.
When the Run once option is selected, the Collect activity for real-time security updates option is automatically selected. This is to ensure that changes to the structure and security of the file system on the target managed host are applied to the scanned data. |
| Immediately scan on agent restart or when managed paths change |
Select the Immediately scan on agent restart or when managed paths change option if you want the agent to scan immediately when it is added, when the agent is restarted and when any managed paths are changed.
For local agents, this option is selected by default. To delay the initial scan and use a configured scan time, clear this check box and use the options in the Scanning Schedule pane to define when to start the agent scan. |
| Ignore all files and only store folder security data |
The Ignore all files and only store folder security data indicates whether the agent is to capture file security data for the target managed host during an agent scan. When this option is cleared, the agent will include file security data in the agent scan.
For all supported managed host types, this option is selected by default, indicating that only folder security data is to be scanned.
NOTE: This option is not available for NFS host types. |
| Collect activity for real-time security updates |
Select the Collect activity for real-time security updates option to have the agent watch for changes to the structure and security of the file system on the target managed host (that is, monitor create, delete, and rename operations, as well as DACL, SACL, and Owner changes). This results in a more up-to-date security index.
When the Run once option is selected, this option is automatically selected to ensure that change to the structure and security of the files system on the target host are applied to the scanned data.
NOTE: When using Change Auditor to collect resource activity, it is not recommended to enable the Collect activity for real-time security updates on EMC or NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.
NOTE: This option is not available for Generic, SharePoint Farm, SharePoint Online or OneDrive for Business host types.
NOTE: When changing this setting, the agent starts watching for changes during and following the next scheduled full scan. |
You can collect resource activity on local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts. Resource activity collection is not supported for Windows Cluster/Remote Windows Computer, Generic, or Cloud managed hosts.
Note: Limitations with collecting resource activity on EMC storage devices:
- EMC activity collection requires that EMC CEE 7.1 is installed on the same server as the Data Governance agent.
- EMC VNX activity collection by Data Governance agents is not supported for storage devices with multiple CIFS exposed virtual data movers.
- Resource activity collection and real-time security updates are not supported for EMC Isilon NFS managed hosts.
- If Change Auditor is configured to collect activity from your EMC device via the Quest Shared EMC Connector, and you would like activity collection/aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity from your EMC device with both Change Auditor and Data Governance Edition.
When enabled, you can configure to collect data on identities, reads, writes, creates, deletes, renames, and security changes on securable objects. Resource activity summary information is used to calculate ownership and for generating activity-related reports, including the Resource activity, Account activity, Interesting resources without an owner, Data owner vs. perceived owner, and Perceived owners for data under governance reports.
Important: By default, the collection of resource activity is disabled. You can enable it when you configure your managed hosts. However, collecting resource activity on your managed hosts impacts network usage and increases load on the Resource Activity database server and Data Governance server, especially when collecting activity on large busy servers. Configuring the proper exclusions and aggregation is important to limit some of this load. You should carefully plan out which servers you want to collect activity on and enable it only on those machines.
If you are collecting resource activity, it is recommended that you set up a scheduled execution of the activity database compression utility. This utility compresses the activity in your database that is older than a certain age and optionally purges entries that are even older. This is essential in ensuring your database remains manageable. For more information on the activity database compression utility, see the One Identity Manager Data Governance Edition Technical Insight Guide.
Note: Data Governance Edition may report certain operations in unexpected ways. For example, in some instances a file rename operation may be represented as a delete and a create. This is normal behavior and depends on the system, or in some cases, the applications being used to interact with the resources.
Note: The time stamps for resource activity are based on the agent local time.
The Resource Activity page on the Managed Host Settings dialog contains the following information and options to configure the collection and aggregation of resource activity.
Table 24: Managed host settings: Resource Activity page
| No activity (scheduled security scans only) |
Use this option if you do not want to collect resource activity for the target managed host.
NOTE: For all types of managed hosts, this option is selected by default indicating that resource activity in not being collected for the target managed host. |
| Collect and aggregate events |
Select this option to collect resource activity for the target managed host. When this option is selected, you can configure the events to be collected and the aggregation interval to be used to compress the activity data.
NOTE: For SharePoint farm managed hosts, native SharePoint auditing must be enabled in order to collect resource activity.
|
| Events |
Select or clear the check boxes to specify the type of events to be included in the resource activity collection process:
- Security change
- Create
- Delete
- Rename
- Write
- Read (Disabled by default)
NOTE: When resource activity collection is enabled, read operations are not collected by default. Care should be taken when enabling read operations because they may cause performance issues. |
| Aggregation |
Select how often you would like to aggregate the data. Valid aggregation intervals are:
- 5 minutes
- 1 hours
- 8 hours (default)
- 1 day
All activity is aggregated within the set time frame, which is 8 hours by default. For example, if a user reads a file ten times within the time frame, it appears as a single line item with a count of 10.
The aggregation interval should be chosen carefully. A shorter interval gives more granular information about activities but can cause the size of the database to use up all the disk space on the server.
|
|
Resource Activity Exclusions |
Click this button to specify the accounts, file extensions, and folders to be excluded from the resource activity collection process. By focusing on the objects in whose activity you are interested, you can reduce network traffic.
Certain well known system accounts, file extensions, and folders are excluded by default, such as:
-
Accounts: Local Service, Network Service, Null SID, System
The Accounts tab is not available for NFS managed hosts.
- File Extensions: Database files, Disc Image files, Email files, Executable files, Explorer Metadata files, Log files, Shortcut files, Temporary files, and Virtual machine files
-
Folders: %SystemRoot%, %ProgramFiles%, %ProgramFiles(x86)%
By default, the Data Governance agent excludes the run as account (local managed hosts) and the domain service account (remote managed hosts) from activity collection and aggregation regardless if the service account is specified in the Resource Activity Exclusions list. The service account for SharePoint farm managed hosts are not excluded by default; you will need to add the SharePoint service account manually for SharePoint farm managed hosts.
To see the full list, click the Resource Activity Exclusions button.
- If the list is empty on the Resource activity exclusions dialog, click Default to populate the exclusions list with default values.
- To add an object to the exclusion list, click Add and specify the account, file extension or folder.
|
|
View/Update cepp.conf |
For EMC Celerra/VNX hosts, this button allows you to view or update the cepp.conf file for the selected data mover.
Clicking this button displays a Logon Credentials dialog allowing you to enter the EMC Celerra/VNX control station credentials and to select the data mover to be scanned.
The client then retrieves and displays the cepp.conf file from the selected data mover. You can edit the Proposed cepp.conf file (lower pane) as needed. To save your edits, select Update File. The client then sends the Proposed cepp.conf file to the EMC device. It will stop and start the cepp service for the selected data mover to apply the new cepp.conf file.
Click the Check Status button to retrieve the same information you wold get if you ran "server_cepp server_2-pool-info" on the EMC device. |
You can edit the managed host settings for one or more managed hosts of the same host type. For more information on the configuration options available, see Managed host configuration settings. You can also use the Edit host settings task to add, remove or change the agents used to scan a remote managed host. For more information, see Removing agents.
To edit a managed host’s configuration settings
- In the Navigation view, select Data Governance | Managed hosts.
-
In the Managed hosts view (right pane), select the required managed host with a status of Managed.
-
Select Edit host settings in the Tasks view or right-click menu.
The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.
- Use the Managed Paths page to change the paths to be scanned and monitored.
- Use the Security Scanning page to change the scanning schedule and scan settings.
- Use the Resource Activity page to change the resource activity collection and aggregation settings.
- After making the required changes, click OK to save your selections and close the dialog.
The agent will scan using the new settings at the next scheduled scan time. However, if you modified the managed paths being scanned and the Immediately scan on agent restart or when managed paths change option is selected on the Security Scanning page, the agent initiates a scan immediately.
To edit multiple managed hosts
Note: When multiple managed hosts are selected, keep in mind that the settings are overwritten for all selected managed hosts and only the settings that are appropriate for the selected managed host type are applied. Because of this, you may notice that not all the same pages are displayed when multiple managed hosts are selected for editing (for example, the Managed Paths page is not displayed).
- In the Navigation view, select Data Governance | Managed hosts.
- Select multiple managed hosts with the same host type in the Managed hosts view
-
Select Edit host properties in the Tasks view or right-click menu.
The Managed Host Settings dialog appears, displaying the pages that contain settings that can be edited based on the type of host selected in the Managed hosts view.
- Use the Security Scanning page to change the scanning schedule and scan settings.
- Use the Resource Activity page to change the resource activity collection and aggregation settings.
The options displayed are the factory default values regardless of the current values of the selected managed hosts.
- Select the Apply these settings to all selected managed hosts check box and make the required changes, which will be applied to all selected managed hosts.
- Click OK to save your selections and close the dialog.
The agent will scan using the new settings at the next scheduled scan time.
Defining default host settings for each type of managed host is now available through the Manager. Using the Customize default host settings task in the Manager, you can define the default scanning schedule and settings and the default resource activity collection and aggregation settings for the selected managed host type. Once customized default settings are defined, they are used when adding new managed hosts to the Data Governance Edition deployment.
Note: Currently managed hosts are not affected by the default host setting changes made on this dialog; only those added in the future use the settings defined here.
To customize default host settings
- In the Navigation view, select Data Governance | Managed hosts.
-
Select the Customize default host settings from the Tasks view or right-click menu.
The Customize default host settings dialog appears.
- At the top of the dialog, specify the following information:
-
Host Type: Select the host type from the drop-down menu:
- Local Windows Computer
- Windows Cluster/Remote Windows Computer
- Generic Host Type
- SharePoint Farm
- EMC Celerra/VNX Device
- EMC Isilon Device
- NetApp OnTap 7-Mode CIFS Device
- NetApp OnTap Cluster Mode CIFS Device
- NetApp Cluster NFS Device
- EMC Isilon NFS Device
- NetApp 7-Mode NFS Device
- SharePoint Online
- OneDrive for Business
-
Agent Install Path: Use this field if you want to specify an alternate installation location. This must be a local path (for example, C:\MyPath) and cannot exceed 512 characters.
- Keywords: Use this field if you want to specify a keyword to be assigned to newly managed hosts, which can be used for sorting and grouping on the Managed hosts view.
- Use the Security Scanning page to define the default scanning schedule and settings. For more information, see Security Scanning page.
-
Use the Resource Activity page to define the resource activity collection and aggregation settings. For more information, see Resource activity page.
Note: Resource activity collection is not available for the following host types:
- Windows Cluster/Remote Windows Computer
- Generic Host Type
- EMC Isilon NFS Device
- SharePoint Online
- OneDrive for Business
- Repeat steps 3 - 5 for any additional host types that require custom default settings.
-
If necessary, click the Restore Factory Defaults button to reset all changed settings back to the factory defaults.
Note: Clicking the Restore Factory Defaults button resets all custom default settings back to the factory default settings for all managed host types.
- Click OK to save your selections and close the dialog.
All managed hosts of the selected host type that are added in the future will use these customized default settings.
