Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2.1 - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

Verifying resource activity is making it to the Resource Activity database

There are a number of ways, as described below, to verify that resource activity is being recorded properly:

  • At the agent level, on the agent host, in the agent instance directory, you can watch the "ResourceActivityStore_XYZ.sqlite" file increase in size.
  • For each aggregation interval, observe the creation of the ResourceActivityStore_*retired file. These files contain activity that will be forwarded to the Data Governance server.
  • At the Data Governance server level, check the DataGovernanceEdition.Service.exe.dlog file for a message similar to the one below which is logged when an agent sends activity to the Data Governance server (search for the words in bold):

    2016-07-2015:14:33:539 [16][INFO][SendSplitMessageResponses(179)] Sending UpdateResourceUsage in 1 parts.

  • In the Manager, compare the following agent statics in the Agents view:
    • Activity Enqueued: The number of resource activity records that have been queued and are waiting to get stored/aggregated in the Resource Activity store.
    • Activity Processed: The number of resource activity records that have been processed and stored in the Resource Activity store.
  • In the Manager, run the Resource Activity report:

    • In the Resource browser or Governed data overview, locate the target resource.
    • Select the target resource and select Resource activity report.
    • Specify the appropriate time range and click Finish to generate the report.
    • If the report lists the expected activities, activity is being correctly recorded.
  • In the Data Governance Edition Resource Activity database, check if there is any items in dbo.AuditUsage. If there is, activity is correctly being sent from the agent to the Data Governance server and then to the Data Governance Edition Resource Activity database.

Cloud managed hosts permission level to role mapping

For cloud managed hosts, Data Governance Edition assigns and displays a role instead of individual permission levels in the Resource Browser and Resource Access report. In addition, these roles are used when security information is used to calculate perceived ownership of a resource. The following tables explain the cloud managed host permission level to role mapping used in Data Governance Edition.

Default permission levels

The default permission levels are mapped to roles in the following manner.

Table 7: Default permission level mapping

Permission level

Role

Full Control

owner

Design

writer

Edit

writer

Contributor

writer

Read

reader

Custom permission levels

For custom permission levels, the underlying permissions are analyzed and the highest role is assigned as described in the following tables.

Table 8: Custom permission level mapping: List permissions

List permission

Role

Manage Lists

writer

Override List Behaviors

writer

Add Items

writer

Edit Items

writer

Delete Items

writer

View Items

reader

Approve Items

writer

Open Items

reader

View Versions

reader

Delete Versions

writer

Create Alerts

writer

View Application Pages

reader

Table 9: Custom permission level mapping: Site permissions

Site permission

Role

Manage Permissions

writer

View Web Analytics Data

reader

Create Subsites

writer

Manage Web Site

writer

Add and Customize Pages

writer

Apply Themes and Borders

writer

Apply Style Sheets

writer

Create Groups

writer

Browse Directories

reader

Use Self-Service Site Creation

writer

View Pages

reader

Enumerate Permissions

reader

Browse User Information

reader

Manage Alerts

writer

Use Remote Interfaces

writer

Use Client Integration Features

writer

Open

reader

Edit Personal User Information

writer

Table 10: Custom permission level mapping: Personal permissions

Personal permissions

Role

Manage Personal View

writer

Add/Remove Personal Web Parts

writer

Update Personal Web Parts

writer

 

QAM module tables

Data Governance Edition information is stored in the QAM module tables in One Identity Manager. This chapter provides some additional details regarding some of the commonly used QAM module components.

QAM tables

The following One Identity Manager database tables are used to store Data Governance Edition data.

Table 11: QAM module: Tables
Table name Description
QAMAgent

Contains the installed agents for all locally managed hosts and remote hosts. Includes the correlation to a managed host, current agent status, agent version, agent name and public key information.

Example:

Agent DGE-SERVER is a local agent monitoring the server DGE-SERVER. Current status is OK and current version is x.x.

QAMAgentEvent Stores the critical errors sent in by a running agent. You can view or clear critical errors through the Agents view in the Manager.
QAMAgentRoot

Contains the managed paths for all installed agents. Contains the responsible agent, the full path of the root, and the root type. This information is pushed to the agent configuration file as well.

Example:

\\dge-server\C$\Shares\Share1 is a folder managed path for agent DGE-SERVER.

QAMClassificationLevel

Stores data about the classification levels (pre-defined or customer-defined) available for classifying data.

QAMDfsTarget

Contains the DFS paths for all managed DFS hosts. Includes information pertaining to DFS targets, associating local paths on a given server to a DFS managed host: Local Path, Target Server, Target Share, DFS Path and DFS managed host.

Example:

DFS-Folder is a DFS target located on server X at local path Y associated with DFS managed host Z.

QAMDuG

Contains the resources under governance across all managed hosts, including the responsible managed host, resource type, security descriptor, paths, business ownership information, as well as whether the data is a point of interest, is published to the IT Shop, is stale, or is a backing folder for a share.

Example:

Share1 is an NTFS/Folder resource that is a point of interest, currently published to the IT Shop using Folder security, and owned by Gary. Last point of interest calculation occurred 15 minutes ago.

QAMHelper*

These tables help correlate accounts found in permissions, and therefore in QAMTrustee, to their identity, synchronized by One Identity Manager. These tables are also used by the web portal to map accounts and employees used to calculate perceived owners.

For example, it shows the correlation between an Active Directory user found in a security index on an agent to the Active Directory account synchronized within an Active Directory domain.

QAMLocalGroup Stores the local groups discovered and synchronized on a Windows computer by the local agent.
QAMLocalUser Stores the local users discovered and synchronized on a Windows computer by the local agent.
QAMLocalUserInLocalGroup Correlates the local user accounts in QAMLocalUsers with the groups they belong to in QAMLocalGroups.
QAMNode

Contains the installed managed hosts. The managed host information includes the host type, status, and agent configuration settings such as: file system activity settings, file system indexing settings, and file system scanning settings.

Example:

DGE-SERVER is a Windows Server, currently in OK status, with 256 total resources under governance, and 256 points of interest. The current agent configuration excludes x files and folders, synchronizes activity every 15 minutes under a five minute aggregation, and scans security index information once a day.

QAMOtherSIDInLocalGroup Stores Active Directory accounts found in local groups by a local agent that were not resolved in Active Directory. This links to Active Directory sync of unresolved SIDs.
QAMScannerInfo

Stores the agent scanner states.

For example, a scanner would be the Windows Computer, Service Identities, Local Groups, NTFS, SharePoint, NFS, and Cloud. Each of these "scans" the managed paths collecting security data.

QAMSecurityIndex

Contains direct access points for accounts that have been scanned by Data Governance agents, indicating the type of access that they have.

Examples:

  • Matt has folder access on Windows Server A according to Agent X
  • Rita has share access on Windows Server B according to Agent Y
QAMTrustee

Contains information for security accounts that have explicit ACL security. This table is closely paired with QAMSecurityIndex and contains the specific account information, such as the account's security identifier (SID).

Example:

Gary with SID 123, is a Domain User, and has a display value of Domain\Gary.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating