Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - Deployment Guide

One Identity Manager Data Governance Edition Deployment Guide Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting NetApp managed host deployment EMC managed host deployment SharePoint Farm managed host deployment

Cannot save the service account

Probable cause

You may receive one of the following errors: “Not Authorized to Use this Database” or "Access was denied while attempting to perform the requested operation" if you are logged in to the machine with an Active Directory account that does not have an associated employee and appropriate roles to view and manage hosts. This account is used to contact the Data Governance server.

NOTE: Both the System user (account logged on to the machine) and the Manager user (account running the Manager) must have an associated One Identity Manager Employee and must be assigned the appropriate Data Governance application roles.

Resolution

To associate an account with an employee

  1. In the navigation view, select Active Directory (ADS button at bottom of navigation view).
  2. Select User accounts, and select the account that you are currently logged in to the machine as.
  3. In the Tasks view, select Change master data.

  4. On the General tab, select an employee to associate with the account.

    Note: Typically an Active Directory synchronization creates an employee for every Active Directory account and this association is already done.

The following application roles are specifically for Data Governance Edition. They are used with One Identity Manager application roles.

  • Data Governance | Access Managers

    Members of this role can access all information related to Data Governance Edition, and can query information from Data Governance agents. Also, they can modify the security of objects contained on managed hosts.

  • Data Governance | Administrators

    Members of this role can perform all administrative tasks necessary for the management of Data Governance Edition. This includes deploying and configuring managed hosts, managing data access, editing security, and placing data under governance.

  • Data Governance | Business Owner

    Members of this role can view information on resources they own.

  • Data Governance | Direct Owners

    This role is held by accounts and roles marked as the owners of resources within Data Governance Edition.

    Note: This role cannot be assigned manually; it is assigned programmatically.

  • Data Governance | Managed Resources

    A default container used for roles automatically generated by Data Governance Edition managed resources. For more information on managed resources, see the One Identity Manager Data Governance Edition IT Shop Resource Access Requests User Guide.

  • Data Governance | Operators

    Members of this role have read-only access to the Managed hosts view and Agents view in the Manager.

  • Identity & Access Governance | Compliance & Security Officer

    Members of this role have a view into all security-related information collected by Data Governance Edition. They are responsible for ensuring security-related compliance regulations are being followed correctly.

To assign application roles

  1. In the navigation view, select Employees | Employees.
  2. In the Employees result list, double-click the required employee.
  3. In the Task view, select Assign One Identity Manager application roles.
  4. Apply the required application role, and save your changes. For example:
    1. Expand Data Governance in the Add assignments window to view the application roles available.
    2. Double-click Administrators to assign the Data Governance | Administrators role to the selected user account.
    3. Click the Save toolbar button.
  5. Restart the Data Governance service to renew the authentication cache. The cache is renewed automatically if you are not using the Manager for 5 minutes.

Cannot connect to a managed host

Probable cause

When trying to connect to a managed host you may receive the following error: “There was no end-point listening that could accept the message.”

This error indicates that there is an issue with the Data Governance service.

Resolution

To resolve this issue, open the Services snap-in and restart the One Identity Manager Data Governance Service, then select the managed host in the Navigation view.

DNS error when attempting to add a new managed host

When attempting to deploy a new managed host, the managed host status is "Unresovable" and the following errors are logged to the Data Governance Edition Service log:

  • ERROR: The domain in which the operation was attempted is not registered as a managed domain.
  • ERROR: Expected DNS Host Name <DNS Host Name>. The value in Active Directory is <DNS Host Name in AD>.
  • ERROR: Access is denied.
Probable cause

These errors are caused by a mismatch between the DNS name in Active Directory and the "expected" DNS Host Name. That is, when adding a remote agent or saving a local managed host, Data Governance Edition is comparing the following two values to ensure they are the same:

  • DNSHostName property in Active Directory, which should be the same value in One Identity Manager after AD synchronization.
  • Machine name of the agent device plus DNS name of the domain.
Resolution

To resolve this issue:

  1. Have your Active Directory administrator change the DNSHostName value in Active Directory to the correct DNS name.
  2. Re-sychronize Active Directory into One Identity Manager.
  3. Deploy the managed host.

Agent not connecting to the Data Governance server

Probable cause
  • The agent has not been able to find a Service Connection Point that points to a valid server.
  • A firewall is active on the agent hosting computer, which is preventing the agent from connecting to the server.
  • The proxy settings on the agent computer are preventing it from connecting to the server.
Resolution
  • Ensure that the Service Connection Points of the agent computer's managed domain are OK.

  • Ensure that the following registry value contains the required Deployment ID:

    Registry Key: HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Agent\Services\communication

    Registry Value: deploymentId (REG_SZ)

  • Configure the firewall on the agent to allow outgoing traffic on TCP port 8721, and incoming traffic on TCP port 18530. Also, ensure that the Data Governance server firewall has the following exceptions configured: incoming TCP 8721, 8722 and outgoing 18530. If the Managed Host is a SharePoint Farm, HTTP port 3149 must be open for incoming traffic from localhost.
  • Configure the proxy settings on the agent computer to either store credentials for accessing your corporate HTTP proxy, or allow bypassing of the proxy for local addresses.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating