Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Setting up Data Governance Edition

You must perform the following activities to have a fully functional Data Governance Edition deployment:

  • Install One Identity Manager Data Governance Edition.
  • Create and configure the One Identity Manager database
  • Install and configure the One Identity Manager service (Job server)

  • Run the Data Governance Configuration wizard to:
    • Deploy the Data Governance server
    • Create the Data Governance Resource Activity database
  • Configure the Data Governance service accounts for managed domains
  • Add managed hosts and deploy agents
  • Install the web portal

NOTE: New in 7.0: Active Directory synchronization via the One Identity Manager service (job server) is not required for managed host deployment.

In the absence of One Identity Manager target system synchronization, the Data Governance service automatically harvests the forest topology. It creates Employee records for all members found in each domain's Domain Admins group and for the current account running the Data Governance configuration wizard. It also links these accounts to the correct Data Governance application roles, which allows you to add managed hosts and deploy agents.

When additional One Identity Manager functionality is required, including generating complete Data Governance Edition reports, perform the following steps:

  • Run the One Identity Manager Synchronization Editor to synchronize your target environments (Active Directory, and if applicable, SharePoint and Unix).

    IMPORTANT: Active Directory synchronization MUST be complete before starting the SharePoint synchronization.

  • Assign Data Governance application roles to Employees.

For detailed installation and configuration procedures, see:

  • Installing One Identity Manager in the One Identity Manager Installation Guide.
  • Install One Identity Manager Data Governance Edition in the One Identity Manager Data Governance Edition Deployment Guide.
  • Readying a service account and domains for deployment.
  • Working with managed hosts and agents.
  • Installing, Configuring and Maintaining the Web Portal in the One Identity Manager Installation Guide and the One Identity Manager Web Portal User Guide.
  • Setting Up Synchronization with an Active Directory Environment in the One Identity Manager Administration Guide for Connecting to Active Directory.
  • Setting Up Synchronization with a SharePoint Environment in the One Identity Manager Administration Guide for Connecting to SharePoint.
  • One Identity Manager Application Roles in the One Identity Manager Identity Management Base Module Administration Guide.

Application roles

The following application roles are specifically for Data Governance Edition. They are to be used with One Identity Manager application roles. For details on applying application roles, see One Identity Manager Application Roles in the One Identity Manager Identity Management Base Module Administration Guide.

  • Data Governance | Access Managers

    Members of this role can access all information related to Data Governance Edition, and can query information from Data Governance agents. Also, they can modify the security of objects contained on managed hosts.

  • Data Governance | Administrators

    Members of this role can perform all administrative tasks necessary for the management of Data Governance Edition. This includes deploying and configuring managed hosts, managing data access, editing security, and placing data under governance.

  • Data Governance | Business Owner

    Members of this role can view and edit information on resources they own. This role is used to control permissions in the web portal, and approvals and attestation workflows.

  • Data Governance | Direct Owners

    This role is held by accounts and roles marked as the owners of resources within Data Governance Edition. It cannot be assigned manually; it is assigned programmatically when ownership is assigned.

  • Data Governance | Managed Resources

    A default container used for roles automatically generated by Data Governance Edition managed resources. For more information on managed resources, see the One Identity Manager Data Governance Edition IT Shop Resource Access Requests User Guide.

  • Data Governance | Operators

    Members of this role have read-only access to the Managed hosts view and Agents view in the Manager.

    Note: This role should not be used in conjunction with any of the other Data Governance application roles.

  • Identity & Access Governance | Compliance & Security Officer

    Members of this role have a view into all security-related information collected by Data Governance Edition. They are responsible for ensuring security-related compliance regulations are being followed correctly.

Authentication using service accounts and managed domains

Most organizations running a network of Windows computers have multiple Active Directory domains and forests to be managed. Users expect seamless integration and IT administrators need an all-encompassing view of their network security to make that happen.

Data Governance Edition consolidates security information across many domains and forests by accessing these network entities using stored credentials (service accounts). These service accounts are Active Directory users granted the appropriate permissions in their respective domains and registered with Data Governance Edition.

By elevating to the service accounts as necessary, the Data Governance server is able to deploy agents and retrieve security information across the organization. All communication is secure and all credential information is encrypted and protected.

Administrators responsible for the Data Governance Edition deployment must register service accounts with the system and link them with domains that have been previously synchronized with One Identity Manager. The link between a service account and an Active Directory domain makes it a “Managed Domain”.

Administrators link a service account to an Active Directory domain through the Manager. For more information, see Readying a service account and domains for deployment.

How are the credentials stored securely?

Service account credentials are stored in the central One Identity Manager database. These credentials can be encrypted using the Crypto-Configuration tool. For more information, see Encrypt Data in a Database in the One Identity Manager Installation Guide.

What permissions do service accounts need and why?

For details on the required permissions, see the One Identity Manager Data Governance Edition Deployment Guide.

Notes:

  • Remote managed hosts (EMC, NetApp, Windows cluster, Cloud) require a service account with sufficient permissions to access target computers.
  • SharePoint farms are similar to remote managed hosts in that they require a service account with sufficient permissions to access the data, even though they are installed locally.
  • NetApp managed hosts require a service account with sufficient permissions to create and maintain FPolicy on a NetApp filer.

Readying a service account and domains for deployment

Before you can gather information on the data in your enterprise, you must:

You can specify these credentials on a per domain basis. Each domain can only have one associated service account at any time, but the same service account can be used for multiple domains. Service accounts are also used to run remote agent services on agent host computers and must be specified during remote agent deployment.

When a domain is managed, a Data Governance container is created in the domain’s System container. This container holds a Service Connection Point object, which is used by the Data Governance Edition components to find one another. Agents use this information to determine where the Data Governance server they should connect to exists.

Note: Only domains that have had Active Directory synchronized with One Identity Manager can be managed. For details, see Setting up Synchronization with an Active Directory Environment in the One Identity Manager Administration Guide for Connecting to Active Directory.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating