Identity Manager – Data Governance Edition

Data governance that puts you in control of sensitive data access

Provide security and access rights to the appropriate users.

Identity Manager - Data Governance Edition protects your organization by giving access control to the business owner rather than the IT staff. The business owner can grant access to sensitive data. With the Identity Manager restricted access functionality, you define access policies for your organization. You have the power to analyze, approve and fulfill unstructured data access requests to files, folders and shares across NTFS, NAS devices and SharePoint, ensuring that sensitive, unstructured data is only accessible to approved users. Identity Manager automates the request-and-approval workflow, ensuring security and reducing the burden on your IT staff.

Features

  • Restricted access – Ensures that your organization’s sensitive, unstructured data is only accessible to approved users by enabling you to define access policies; also locks down sensitive data such as files, folders and shares across NAS devices, NTFS and SharePoint.
  • Data owner assignment – Enables you to evaluate usage patterns and read and write access to help you determine and assign the appropriate owner of data for all future access requests.
  • Simplified auditing – Provides you with key information for audit preparations by allowing you to identify user access to enterprise resources such as files, folders and shares across NAS devices, NTFS, and SharePoint.
  • Automated access requests – Enables you to automatically direct access requests from the request portal to the appropriate data owner using built-in workflows, with no burden on your IT staff because approved requests are automatically and correctly fulfilled.
  • Access verification – Enables you to monitor user and resource activity, and configure and schedule a recertification process for data owners to verify and attest to employee access, thus ensuring that only approved users have access to specific resources
  • Personalized dashboard – Enables you to view trends, historic and current data access activity, and attestation status on your personalized dashboard, and then allows you to generate compliance reports from that data.

Specifications

Data Governance server

RequirementDetails
Processorquad core CPU

Memory

16 GB RAM

Free disk
space

100 GB

Operating systems

64-bit Windows Server® operating systems:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

NOTE: Only a 64-bit server for Data Governance Edition is supported. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.

Software

.NET Framework 4.5.2

Database server

RequirementDetails
Processor16 cores with 2.5 GHz+
Memory

32 GB RAM minimum

NOTE: In addition to One Identity Manager's minimum requirement of 16+ GB RAM; Data Governance Edition requires an addition 16 GB of RAM.

Free disk
space
In addition to One Identity Manager's database server requirements of 100 GB, Data Governance Edition requires an additional 30 GB storage space per million resources
Operating
system

Supported 64-bit Windows® operating systems:

  • Windows Server® 2008 Service Pack 2 or later
  • Windows Server 2008 R2 Service Pack 1 or later
  • Windows Server 2012
  • Windows Server 2012 R2

NOTE: The 64-bit requirement is specific to Data Governance Edition.

UNIX® and Linux® operating systems:
  • Note the minimum requirements given by the operating system manufacturer for Oracle databases.
Software

One of the following database systems:

SQL Server

  • Microsoft® SQL Server 2012 Standard Edition Service Pack 1 or later
  • Microsoft SQL Server 2014 Standard Edition Service Pack 1 or later
  • Compatibility level for database: SQL Server 2012 (110)

Oracle Database

  • Oracle Database 12c Standard Edition or Enterprise Edition version 12.1.0.2 or later

The patch level differs depending on the system platform.

It is strongly recommended that you install the patch 19504744 for Oracle bug 18097476 (Doc ID 1683819.1).

Data Governance agent

RequirementDetails
Processor500 MHz+

Memory

1024 MB RAM

Free disk
space

100 MB free disk space for every 1,000,000 files / folders scanned

NOTE: If the system where the agent is deployed has less than 2048 MB of available free space, then the agent will shut itself down

Operating systems

Windows® operating systems:

  • Windows Server® 2003 (R2)
  • Windows Server 2008
  • Windows Server 2008 R2 (32 bit or non-Itanium 64 bit)
  • Windows Server 2012
  • Windows Server 2012 R2

NOTE: New Dynamic Access Control (DAC) features are not supported.

NOTE: When an agent is installed on Windows Server 2012/2012 R2, you must disable the following local policy: "User Account Control: run all Administrators in Admin Approval Mode.

NOTE: The following certificate must be installed as a Trusted Root Certification Authority on an agent host computer: VeriSign Class 3 Public Primary Certification Authority - G5.

Software

.NET Framework 3.5.1 (SharePoint® agents)

.NET Framework 4.0 or later

NOTE: SharePoint 2010 agents require .NET Framework 3.5.1; all other Windows Servers and SharePoint 2013 farms hosting an agent require .NET Framework 4.0 or later.

Resource Activity Database server

RequirementDetails
Processorquad core CPU

Memory

16 GB RAM

Free disk
space

100 GB

Supported target systems

TargetVersionDetails
Windows Server®

The following Windows Server versions are supported for scanning (local or remote managed host types):

  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
Resource activity tracking is not supported for remotely managed Windows Server hosts.

Windows® Cluster

The following failover clusters are supported for scanning (remote managed host type):

  • Windows 2008
  • Windows 2008 R2
  • Windows 2012
  • Windows 2012 R2
Resource activity tracking is not supported for clusters.

NetApp®

The following NetApp filer versions are supported for scanning (remote managed host type):
  • NetApp ONTAP 7.3
  • NetApp ONTAP 8.0
  • NetApp ONTAP 8.1

Real-time change watching and resource activity tracking are not supported on versions of NetApp ONTAP™ filers earlier than 7.3.

NetApp Clustered Data ONTAP filers are not supported.

NetApp storage devices require additional configuration. See the NetApp managed host deployment appendix in the Dell™ One Identity Manager Data Governance Edition Deployment Guide.

EMC®

The following EMC devices are supported for scanning (remote managed host type):

  • EMC Celerra®
  • EMC VNX™
  • EMC Isilon®

The EMC Framework versions supported include:

  • Celerra Event Enabler (CEE) Framework 4.6.7
  • VNX Event Enabler (VEE) Framework 4.8.5 (through 5.1) or 7.1
  • Common Event Enabler (CEE) Framework 6.0 - 6.6

VNXe® is not supported. VNXe does not support CEPA at this time and therefore Data Governance Edition will not run successfully in VNXe environments.

EMC storage devices require additional configuration. See the EMC managed host deployment appendix in the Dell™ One Identity Data Governance Edition Deployment Guide.

SharePoint®

The following SharePoint versions are supported for scanning (local managed host type):

  • SharePoint Server 2010
  • SharePoint Server 2013

100 GB disk space on the SharePoint agent computer for data storage and scan post-processing activities.

NOTE: The space required is dependent on the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.

8 GB RAM for the SharePoint agent computer.

Processing on that server.

Standalone farms are not supported.

Farms configured with only Local Users/Groups are
not supported.

DFS Root

Windows 2003 R2 Active Directory® DFS and later

 

Minimum permissions

AccountPermission
Active Directory® account running the Manager

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators application role or the Data Governance/Access Managers application role.

Service account assigned to a managed domain

Log On as a Service local user rights on the Data Governance server.

Local Administrator rights on Data Governance agent computers.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

If the service account is not a member of the Domain Users group (for example, a user from domain A is used to manage trusted domain B), additional rights are required. See Deployment Requirements in the Dell One Identity Data Governance Edition Deployment Guide for more details.

SQL® service account for connection with the Data Governance resource activity database

dbcreator server role is required to create the database during initial configuration of Data Governance Edition

db_owner role is required to work with the database

SQL service account for connection with One Identity Manager database

db_owner role for One Identity Manager database
Service account for an agent on Local Windows® managed hostsThe agent runs under the Local System account. No additional rights are
required.
Service account for an agent managing remote Windows
managed hosts

Local Administrator rights on the managed host.

NOTE: If you see errors after granting Local Administrator rights, log off and log on to the computer where Local Administrator was granted.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing SharePoint® farms

Must be the SharePoint farm account (same account that is used to run the SharePoint timer service and the One Identity Manager service (job server)). This account also needs to be a member of the administrators group on the SharePoint server.

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Service account for an agent managing NetApp® filers

Log On as a Service local user rights on the agent computer. (This is automatically granted when the agent is deployed.)

Must be a member of the Administrators group on the NetApp filer in order to create FPolicy®.

Must have permissions to access folders being scanned.

One Identity Manager service (job server) account used for scheduling Data Governance Edition reports

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators and the Data Governance/Access Managers application roles.

Active Directory account used by the AppServer to establish communication between the Data Governance server and the Manager

Must have an associated One Identity Manager Employee.

Employee must be assigned the Data Governance/Administrators and the Data Governance/Access Managers application roles.

NOTE: This account must be added as the AppServer pool identity in Internet Information Services (IIS) Manager. If the AppServer application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.

For more information on granting permissions, see the Dell™ One Identity Manager Data Governance Edition Deployment Guide.

Required ports

PortDirectionDescription
8721Incoming

TCP(HTTP) port opened on the Data Governance server computer. Used for
communication with Data Governance agents.

NOTE: The Data Governance agents use the HTTP port if WCF fails.

8722

Incoming

TCP(net.tcp) port opened on the Data Governance server computer. Used for
communication with PowerShell, One Identity Manager clients, and Dell One Identity
Manager Web Server.

NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard.
The HTTP port (8721) listed above should always be 1 less than the net.tcp port.
These first two ports align with the base addresses in the
Dell.DataGovernanceEdition.Service.exe.config file under the IndexServerHost
service. It is highly recommended that you only change the port using the Data
Governance Configuration wizard to ensure the configuration file, One Identity
Manager database, and service connection points are updated properly; otherwise,
you may lose connection with the Manager, the Data Governance service and/or Data
Governance agents.

IMPORTANT: Do NOT use the Designer to change the QAMServer configuration
parameters, including the Port parameter.

8723Incoming

HTTP protocol and REST services. Communication with PowerShell and One Identity Manager clients and web server.

18530 - 18630Incoming

TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531,
18532, and so on.)

Videos

Screenshots

loading

Identity Manager– Data Governance Edition

Take a tour of key functionality in Identity Manager interface to experience its capabilities and ease of use.

Take a Screenshot Tour

Governed Data Overview

Governed Data Overview

High level overview of governed data

Recent Activity

Recent Activity

Governed data activity. Who has accessed the data over a period of time

Governed Data Reports

Governed Data Reports

Quickly run governed data related reports

Governed Data Risk

Governed Data Risk

Properties and assignments contributing to the risk index calculation

Governed Data Attestation

Governed Data Attestation

Current and forecast information of pending attestation runs

SharePoint Usage

SharePoint Usage

Show employees who have or may have access to SharePoint resources