Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2 - User Guide

User Guide Introduction Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Managed host deployment

A managed host is any network object that can host resources and can be assigned an agent to monitor security and resource activity. Currently supported hosts include Windows computers, Windows clusters, NetApp storage devices, EMC storage devices, DFS, and SharePoint farms.

You can also add generic managed hosts (Server Message Block (SMB) shares running on any Active Directory joined computer) to remotely scan their resources.

The following commands are available to you to deploy managed hosts. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 68: Managed host deployment commands

Use this command

If you want to

 

Add-QDfsManagedHost

Register a domain-based distributed file system root. This enables you to view and manage the access on resources that are physically distributed throughout your network.

 

Add-QManagedHostByAccountName

Add a managed host to your deployment and configure its settings.

NOTE: This cmdlet does not support adding Cloud managed hosts.

 

Clear-QResourceActivity

Clear the resource activity for a given managed host. This enables you to remove activity data from the database on demand when it is no longer required.

For scheduled activity cleanup, use the activity compression/deletion settings in the Data Governance server configuration file instead.

NOTE: Once you clear the activity, it cannot be recovered.

 

Get-QHostsforTrustee

View a selected user or group’s access on all managed hosts in your environment.

 

Get-QManagedHosts

View a list of all the managed hosts in your deployment.

NOTE: If you are interested in only one managed host, you can specify the host's name or the ID (GUID format) of the managed host. You can also specify all the managed hosts in a particular container.

 

Remove-QManagedHost

Remove a managed host from your deployment.

 

Set-QManagedHostProperties

Change the properties of a managed host.

NOTE: You must know the managed host ID

 

Set-QManagedHostUpdated

Inform the Data Governance server that the managed host state should be updated.

 

Trigger-QDfsSync

By default the Data Governance server synchronizes the DFS structure into the One Identity Manager database every 24 hours. Use this cmdlet to force a DFS synchronization of a DFS managed host, making the DFS path immediately available within the Resource browser.

NOTE: You must specify the ID (GUID format) of the managed host to be synchronized. To synchronize all of the DFS managed hosts in your deployment, set the ManagedHostID to All.

 

Account access management

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

The following commands are available to you to manage account access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 69: Account access management commands

Use this command

If you want to

Get-QAccountAccess

View where users and groups have access on a managed host.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAccessOnHosts

View the resource access for a given account (Domain\SAMAccountName) across all available hosts.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountActivity

View the activity associated with a user on a managed host.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QAccountAliases

View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access.

Get-QAccountsForHost

View all account access for a specific managed host.

Get-QADAccount

View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup.

Get-QGroupMembers

View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource.

Get-QIndexedTrustees

View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.

Resource access management

A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.

The following commands are available to you to manage resource access. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 70: Resource access management commands

Use this command

If you want to

Export-QResourceAccess

Export the security information on a selected resource.

Get-QChildResources

View the resources contained in a specific root on a managed host. You can use this to enumerate the contents of remote folders and shares.

In particular, it would be similar to the standard Windows PowerShell Get-ChildItems cmdlet but it functions using the Data Governance server as a proxy, so the client machine does not necessarily need direct access to the target machine.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QFileSystemSearchResults

Search an NTFS folder or share for files. Using this command, you can search multiple data roots at once.

Get-QHostResourceActivities

Retrieve a list of the operations, including the resource ID assigned to each operation, performed against a managed host during a given time frame.

NOTE: This PowerShell cmdlet does not support Cloud managed hosts.

Get-QPerceivedOwners

Calculate the perceived owners for a resource. This information can help to determine the true business owners and custodian for data.

NOTE: The perceived owner for data is calculated from the resource activity history or security information collected by Data Governance Edition. Activity is collected based on the aggregation time span settings and recorded in the Data Governance Resource Activity database.

Get-QResourceAccess

Retrieve the security information of selected resources from a specific managed host, and child objects whose security differs from the parent.

Get-QResourceActivity

Retrieve the activity associated with a resource.

NOTE: Resource activity collection (and therefore this cmdlet) is not supported for the following host types:

  • Windows Cluster/Remote Windows Computer
  • Generic Host Type
  • EMC Isilon NFS Device
  • SharePoint Online
  • OneDrive for Business

Get-QResourceSecurity

View the security on a given resource in the SSDL format.

Set-QResourceSecurity

Set security on a given resource.

NOTE: The existing security descriptor is completely replaced.

Governed data management

Governing unstructured data allows you to manage data access, preserve data integrity, and provide content owners with the tools and workflows to manage their own data.

The following commands are available to you to manage governed data. For full parameter details and examples, see the command help, using the Get-Help command or the One Identity Manager Data Governance Edition Technical Insight Guide.

Table 71: Governed data management commands

Use this command

If you want to

Get-QDataUnderGovernance

View the data within your organization that has been placed under governance. Data is considered “governed” when it has been explicitly placed under governance or published to the IT Shop.

Get-QPerceivedOwnerPoI

View the name of the perceived owner for the specified governed resource. You can use the calculated perceived owners to identify potential business owners for data within your environment.

Get-QSelfServiceClientConfiguration

View the options that are available for self-service requests within the IT Shop.

Get-QSelfServiceMethodsToSatisfyRequest

View the group membership that is required to satisfy an access request.

When identities request access to a resource, an approval workflow is put into action. Before the request for resource access can be granted, the business owner must select a group to which that identity could be added to fulfill their request.

NOTE: This PowerShell cmdlet does not support NFS or Cloud resources (since these types of resources cannot be published to the IT Shop).

Remove-QDataUnderGovernance

Remove data from governance.

NOTE: Removing a resource from governance, also removes it from the IT Shop.

Set-QBusinessOwner

Set the business owner on a governed resource to establish a custodian for data. The business owner should be an identity who understands the nature of the data and the list of authorized users. Ownership can be established for an individual identity or for all identities in an application role.

Set-QDataUnderGovernance

Place a resource under governance. Once data is “governed”, the Data Governance server periodically queries the agent responsible for scanning that data and retrieves detailed security information concerning it and any child data. The data is then placed in the central database to be used by policies and attestations.

You can also use this command to set the business owner on governed resources to establish a custodian for data. The business owner should be an identity who understands the nature of the data and the list of authorized users. Ownership can be established for an individual identity or for all identities in an application role.

Set-QSelfServiceClientConfiguration

Set the options that are available for self-service requests within the IT Shop.

Trigger-QDataUnderGovernanceCollection

Trigger data collection for governed resources for a given managed host.

Upgrade-QDataUnderGovernanceRecords

Upgrade the format of existing governed data in the database after an upgrade from version 6.1.1 or earlier.

NOTE: This is a requirement for upgrading to version 6.1.2 or 6.1.3.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating