Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.1 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Get-QResourceActivity

Retrieves the activity associated with a resource. The results provide a granular list of activities recorded over a period of time that can be used to verify proper resource usage and make decisions on modifying access.

Note: Resource activity collection (and therefore, this cmdlet) is not supported for the following host types:

  • Windows Cluster/Remote Windows Computer
  • Generic Host Type
  • EMC Isilon NFS Device
  • SharePoint Online
  • OneDrive for Business
Syntax:

Get-QResourceActivity [-ManagedHostId] <String> [-Resources] <String[]> [[-StartTime] [<DateTime>]] [[-EndTime] [<DateTime>]] [[-Exclusions] [<String[]>]] [[-ExcludedOperations] [<String[]>]] [<CommonParameters>]

Table 226: Parameters
Parameter Description
ManagedHostId

Specify the ID (GUID format) of the managed host that you would like to see resource activity for.

Run the Get-QManagedHosts cmdlet without any parameters to retrieve a list of available managed hosts and their IDs.

Resources

Specify the specific resource you would like to see resource activity for.

Specify NTFS resources in the following format: "C:\Share","C:\ADFS"

When specifying multiple resources, separate the resources with a comma.

StartTime

(Optional) Specify the start date and time from which you want to see resource activity.

Specify the start time in the following format (UTC): "23/01/2016 10:36:30 PM"

EndTine

(Optional) Specify the end date and time up to which you want to see resource activity.

Specify the end time in the following format (UTC): "23/01/2016 11:36:30 PM"

Exclusions

(Optional) Specify the security identifier (SID) of the users to be excluded from the resource activity search.

Specify the SIDs to exclude using the following format: domain: S-1-5-21

Example: TSX:S-1-5-21-3263556741-3296809600-1972185209-1104

ExcludedOperations

(Optional) Specify the operations to be excluded from the resource activity search. Valid values are:

  • Create
  • Delete
  • Read
  • Rename
  • Security Change
  • Write

When specifying multiple operations, separate the operations with a comma.

Examples:
Table 227: Examples
Example Description
Get-QResourceActivity "ce21c3ec-3b79-4225-955a-c54cb46790f1" "C:\Share","C:\ADFS" Retrieves all activity on the specified managed host for the "C:\Share" and "C:\ADFS" folders.
Details retrieved:
Table 228: Details retrieved
Detail Description
NodeId The ID used to link the activity database to the QAMNode table. (AuditNodeId in QAMNode table.)
ResourceId The ID assigned to the operation that was performed.
ParentResourceId Shows which resource in the activity database is the parent.
ResourcePath The path of the resource.
ResourceName The name of resource.
Resource The type of resource.
Operation The operation that was performed.
AccessCount The number of times the operation occurred during the aggregation interval.
StartTime The start date and time for collecting resource activity. Activity is stored in 'time spans'.
EndTime The end date and time for collecting resource activity. Activity is stored in 'time spans'.
TrusteeType The type of account that initiated the operation.
TrusteeName The name of the account that initiated the operation.
TrusteeSid The security identifier (SID) assigned to the account that initiated the operation,
AuditTrusteeId The ID associated with the account that performed the operation. (UID_QAMTrustee in QAMTrustee table.)

Get-QResourceSecurity

Returns the security descriptor for a given resource in the SSDL format.

Syntax:

Get-QResourceSecurity [-ResourceUri] <String> [-ResType] <String> [-DomainDNSName] <String> [[-NoSACL] [<SwitchParameter>]] [[-NoDACL] [<SwitchParameter>]] [[-NoOwner] [<SwitchParameter>]] [[-NoGroup] [<SwitchParameter>]] [<CommonParameters>]

Table 229: Parameters
Parameter Description
ResourceUri Specify the path to the resource for which you want the security descriptor.
ResType

Specify the type of resource in question:

  • adminrights
  • localosrights
  • files
  • folders
  • shares
DomainDNSName Specify the DNS domain name of the domain where the managed host with the resource in question resides.
NoSACL

(Optional) Specify this parameter if you do not want to return the SACL information in the SDDL.

If this parameter is not specified, the SACL information will be included.

NoDACL

(Optional) Specify this parameter if you do not want to return the DACL information in the SDDL.

If this parameter is not specified, the DACL information will be included.

NoOwner

(Optional) specify this parameter if you do not want to return the Owner information in the SDDL.

If this parameter is not specified, the owner information will be included.

NoGroup

(Optional) Specify this parameter if you do not want to return the group information in the SDDL.

If this parameter is not specified, the group information will be included.

Examples:
Table 230: Examples
Example Description

Get-QResourceSecurity -ResourceUri "\\QAMAUTOMem1\c$\autoroot\test_folder" -ResType Folders -DomainDNSName QAMAUTO.QC.HAL.CA.QSFT

 Returns the security descriptor for the specified resource on QAMAUTOMem1 in the specified domain.

Set-QResourceSecurity

Sets or updates the security on a given resource to the specified security descriptor.

Note: The existing security descriptor is completely replaced.

Syntax:

Set-QResourceSecurity [-SDDL] <String> [-ResourceUri] <String> [-ResType] <String> [-DomainDNSName] <String> [-HostDownLevelName] <String> [<CommonParameters>]

Table 231: Parameters
Parameter Description
SDDL Specify the security descriptor (SDDL format) to be set.
ResourceUri Specify the path to the resource that you want to set the security for.
ResType

Specify the resource type of the resource to have its security descriptor set. Valid values are:

  • adminrights
  • localosrights
  • files
  • folders
  • shares
DomainDNSName Specify the DNS name of the resource's domain.
HostDownLevelName Specify the downlevel name of the host where the resource resides.
Examples:
Table 232: Examples
Example Description

Set-QResourceSecurity -SDDL "O:BAG:DUD:AI(A;;FA;;;BA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO) (A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)S:PAI" -ResourceUri "\\QAMAUTOMem1\c$\autoroot\test_folder" -ResType Folders -DomainDNSName QAMAUTO.QC.HAL.CA.QSFT -HostDownLevelName QAMAUTOMem1

 Sets the security on the specified resource to the specified SDDL on the computer qamautomem1 in the domain qamauto.qc.hal.ca.qsft.

Governed data management

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.

The following commands are available to you to manage governed data. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 233: Governed data management commands

Use this command

If you want to

Get-QDataUnderGovernance

View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop.

For more information, see Get-QDataUnderGovernance.

Get-QPerceivedOwnerPoI

View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment.

For more information, see Get-QPerceivedOwnerPol.

Get-QSelfServiceClientConfiguration

View the options that are available for self-service requests within the IT Shop.

For more information, see Get-QSelfServiceClientConfiguration.

Get-QSelfServiceMethodsToSatisfyRequest

View the group membership that is required to satisfy an access request.

When employees request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that employee could be added to fulfill their request.

For more information, see Get-QSelfServiceMethodsToSatisfyRequest.

NOTE: This PowerShell cmdlet does not support NFS or Cloud resources (since these types of resources cannot be published to the IT Shop).

Remove-QDataUnderGovernance

Remove data from governance.

NOTE: Removing a resource from governance, also removes it from the IT Shop.

For more information, see Remove-QDataUnderGovernance.

Set-QBusinessOwner

Set the business owner on a governed resource to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.

For more information, see Set-QBusinessOwner.

Set-QDataUnderGovernance

Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an employee who understands the nature of the data and the list of authorized users. Ownership can be established for an individual employee or for all employees in an application role.

For more information, see Set-QDataUnderGovernance.

Set-QSelfServiceClientConfiguration

Set the options that are available for self-service requests within the IT Shop.

For more information, see Set-QSelfServiceClientConfiguration.

Trigger-QDataUnderGovernanceCollection

Trigger data collection for governed resources for a given managed host.

For more information, see Trigger-QDataUnderGovernanceCollection.

Upgrade-QDataUnderGovernanceRecords

Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.

NOTE: This is a requirement for upgrading to version 6.1.2 or 6.1.3.

For more information, see Upgrade-QDataUnderGovernanceRecords.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating