Data Governance Edition
Data Governance Deployment Guide
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND
CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters
LEGAL Dept 5 Polaris Way
Aliso Viejo, CA 92656 email: [email protected]
Refer to our Web site (www.quest.com) for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, and Simplicity at Work are trademarks of Quest Software and its subsidiaries. See http://www.quest.com/legal/trademarks.aspx for a complete list of Quest Software’s trademarks. Other trademarks are property of their respective owners.
Quest One Identity Manager Data Governance Edition - Data Governance Deployment Guide Updated - October 2012
Software Version - 6.0
Third Party Contributions
Quest One Identity Manager contains some third party components (listed below). Copies of their li-censes may be found at http://www.quest.com/legal/third-party-lili-censes.aspx.
COMPONENT LICENSE OR ACKNOWLEDGEMENT
ZLib.NET License notice
Copyright (c) 2006, ComponentAce http://www.componentace.com All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the fol-lowing disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of ComponentAce nor the names of its contributors may be used to endorse or pro-mote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDEN-TAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO-CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Google Open Sans 1.0 Copyright © January 2004 (http://www.apache.org/licences). Apache 2.0 License.
JQuery 1.7.1 Copyright © 2011, John Resig. MIT License.
JQuery UI 1.8.20 Copyright © 2011, John Resig. MIT License.
Mono.Security 2.0.3600.1 Copyright © 2004 Novell, Inc. (http://www.novell.com). MIT License. Novell.Directory.LDAP 2.1.9.0 Copyright © 2003 Novell, Inc. (http://www.novell.com). MIT License. SharpZipLib 0.85.4.369 Copyright © 2001-2007 Mike Krueger, John Reilly. SharpZipLib
License.
spin.js 1.2.2 Copyright © 2011 Felix Gnass [fgnass at neteye dot de]. MIT License. Windows Installer XML toolset
(aka WIX) 3.5.2519.0 Common Public License 1.0
ZLib.NET 1.0.3 Copyright © 2006, ComponentAce (http://www.componentace.com). All rights reserved.
SYSTEM REQUIREMENTS . . . 9
INSTALLATIONAND CONFIGURATION. . . .13
INSTALL QUEST ONE IDENTITY MANAGER DATA GOVERNANCE EDITION. . . 19
CONFIGURE QUEST ONE IDENTITY MANAGER COMPONENTS . . . 20
CREATE THE IDENTITY MANAGER DATABASE, AND DEPLOY THE DATA GOVERNANCE SERVERAND ACTIVITY DATABASEFROMTHE CONFIGURATION WIZARD. . . 21
CONFIGURE THE IDENTITY MANAGER SERVICE. . . 27
SYNCHRONIZE ACTIVE DIRECTORY WITH IDENTITY MANAGER. . . 29
SETUP CONNECTIVITYWITH SHAREPOINT . . . 31
INSTALL THE WEB PORTAL. . . 40
MAP EMPLOYEESTO DATA GOVERNANCE APPLICATION ROLES . . . 54
CONFIGURE DATA GOVERNANCE COMPONENTS. . . 55
READYING SERVICE ACCOUNTSAND DOMAINS FOR DEPLOYMENT . . . 55
DEPLOYING FILE SERVER MANAGED HOSTS . . . 55
DEPLOYING SHAREPOINT MANAGED HOSTS . . . 57
ABOUT QUEST SOFTWARE . . . .59
CONTACTING QUESTSOFTWARE, INC.. . . 60
1
Introduction
• About this Guide
• Deployment Overview
• System Requirements
About this Guide
This document contains the information required to install and configure Quest One Identity Manager Data Governance Edition. It provides step-by-step instructions to help you specifically set up and con-figure Data Governance functionality.
This document is for network administrators, consultants, analysts, and IT professionals responsible for deploying Data Governance in their organization.
Deployment Overview
Installation and Configuration Overview
The following activities must be performed to have a fully functional Data Governance deployment: • Install Quest One Identity Manager Data Governance Edition
• Configure the Identity Manager database • Set up the Data Governance Server
• Configure the Data Governance activity database
• Synchronize your target environments (Active Directory and SharePoint) • Install the Web Portal
• Map employees with the required Data Governance application roles • Deploy Managed Hosts
Recommended Installation
• Install Quest One Identity Manager Administrative and System Configuration tools on Windows workstation
• Install Quest One Identity Manager Server Service on Windows Server with good connectivity to a database server
• Install Quest One Identity Manager database on a dedicated Windows SQL Server • Install Quest One Identity Manager Web Portal on a dedicated Windows IIS Server
9
System Requirements
Before installing Quest One Identity Manager, ensure that you meet the following minimum require-ments:
Database Server Requirements
Quest One Identity Manager works with Microsoft SQL and Oracle database systems. Operating System:
• Microsoft Windows Operating Systems: Windows Server 2003 Service Pack 2 or later, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit)
• UNIX and Linux Operation Systems: See Operating System vendor for minimum requirements needed to host an Oracle database
Additional Software:
• Microsoft SQL Server Enterprise Edition 2008 Service Pack 3 or later, Microsoft SQL Server En-terprise Edition 2008 R2 Service Pack 1 or later (compatibility level: 10)
• Oracle database 11g r2 Enterprise Edition version 11.2 and higher (patch level will vary with operating system platform).
Service Server Requirements
Operating System:
• Microsoft Windows Operating Systems: Windows Server 2003 Service Pack 2 or later, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit)
• Linux Operating Systems: SuSE Enterprise Server 10 Additional Software:
Microsoft Windows Operating Systems
• Microsoft Software Installation (MSI) Service • .Net 3.5 Service Pack 1 or later
Linux Operation Systems • Mono 2.8
Client Requirements
Operating Systems:
• Microsoft Windows Operating Systems: Windows XP Service Pack 3 or later, Windows Vista, Windows7 (32 bit or non-Itanium 64 bit)
Additional Software:
• Microsoft Windows Operating Systems:.Net 3.5 Service Pack 1 or later, Microsoft Software In-stallation (MSI) Service, Windows Internet Explorer 7.0 or later, Mozilla Firefox 3.0 or later
Web Server Requirements
Operating System:
• Microsoft Windows Operating Systems: Windows Server 2003 Service Pack 2 or later, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit)
• Linux Operating Systems: See Operating System vendor for minimum requirements needed to host Apache HTTP Server 2.1
Additional Software:
Microsoft Windows Operating Systems
• Microsoft Internet Information Service 7 or Apache HTTP Server 2.1 • .Net 3.5 Service Pack 1 or later
Linux Operation Systems
• Apache HTTP Server 2.1 • Mono 2.8
Data Governance Server
System Requirements:
• Windows Server 2003, Windows Server 2003 (R2), Windows Server 2008, Windows Server 2008 (R2), Windows SQL Server 2008 (R2) (64 bit non-Itanium)
• quad core CPU
• 1024x 768 screen resolution with 16-bit color • 100 GB free disk space
• 16 GB RAM Software Requirements:
• .Net 3.5 Service Pack 1 or later
• Microsoft SQL Server 2005 Enterprise Edition Service Pack 3 or later, Microsoft SQL Server En-terprise Edition 2008 Service Pack 1 or later (compatibility level: SQL Server 2005 (90))
To configure a Data Governance server, the user must belong to the Administrators group of the computer hosting the server.
11
• Oracle database 10g Enterprise Edition version 10.2.0.4 and later or Oracle database 11g r2 Enterprise Edition version 11.2 and later (patch level will vary with operating system platform).
Account Requirements:
• You must be an administrator of the computer on which you are installing the Data Governance Server.
• You must have the credentials of an account that can be used to create a database on the SQL server being used by the Data Governance Server.
• You must have the credentials of an account that can be used as a Service Account for your managed domains.
• For both the Web Portal and the Data Governance front ends, users must be logged in with an Active Directory user account from an Active Directory domain that is in the Identity Manager database.
Agent Requirements
System Requirements
• Update Rollup 1 for Windows Server 2000 with Service Pack 4, Windows Server 2003, Windows Server 2003 (R2), Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-Itanium 64 bit)
• 500 MHz+ Processor • 1024 MB RAM
• 100 MB free disk space for every 1,000,000 files / folders scanned
Data Governance Activity Database
System Requirements: • quad core CPU
Quest only provides a 64-bit server for Data Governance. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.
When using SQL Server as the backing database, you must use SQL Server Authentication with the Data Governance Server. Windows Integrated Authentication must not be used.
Real-time file system updates and resource activity tracking are not supported on versions of ONTAP NetApp filers earlier than 7.3.
Additionally, the following Network Attached Storage Devices are supported as managed hosts, but must be scanned remotely: NetApp 7.3 and 8.1(Data ONTAP)*, EMC Celerra 5.6 with Server Message Block 1.0. Windows 2008 and Windows 2008 (R2) failover clusters are sup-ported as remote managed hosts types. Resource activity tracking is not supsup-ported for clus-ters.
• 100 GB free disk space • 16 GB RAM
Report Requirements
• For Data Governance reports to function, proper authentication checks must be performed. This is accomplished by configuring the job server service to logon as an Active Directory ac-count associated with an Employee who has been assigned the Data Governance Administrator application role. This job server must be configured with the SMTP Host server mask to ensure it is the job server that runs the reports.
SharePoint Requirements\Recommendations
• Scanning SharePoint Server 2010 is supported. • Standalone farms are not supported.
• Farms configured with only Local Users/Groups are not supported.
• Recommend installing the agent on a dedicated SharePoint 2010 Application Server in the farm and not on a Web Front server (to reduce processing load on the web front end server). • Recommend 100 GB disk space on the SharePoint agent computer for data storage and scan
post-processing activities. The space required is dependent on the number of sites, lists, and document libraries and the number of unique permissions gathered from the farm.
• Recommend 8 GB RAM for the SharePoint agent computer.
• Ensure that the service account configured for the SharePoint managed host is a SharePoint Farm Account (same account that is used to run the SharePoint timer service).
Web Portal Requirement
• If the web server hosting the Quest One Identity Manager Web Portal is running on the same computer as the Data Governance server you must set the ‘ImpersonateWcfCalls’ IIS applica-tion setting to TRUE.
• If the web server hosting the Quest One Identity Manager Web Portal is running on a different computer than the Data Governance server you must include entries in the ‘ExplicitlyAllowed-Identities.txt’ file for the IIS host computers ActiveDirectory account.
• To access Quest One Identity Manager Data Governance Edition functionality in the Web Portal, you must configure IIS to use Integrated Authentication.
2
Installation and Configuration
• Upgrade Quest One Identity Manager 6.0 to Quest One
Identity Manager 6.0 Data Governance Edition
• Install Quest One Identity Manager Data Governance
Edi-tion
• Configure Quest One Identity Manager Components
• Configure Data Governance Components
Upgrade Quest One Identity Manager 6.0 to
Quest One Identity Manager 6.0 Data
Governance Edition
If you already have Quest One Identity Manager 6.0 installed, you can upgrade to Quest One Identity Manager 6.0 Data Governance Edition using the following steps.
To upgrade to Data Governance Edition
1. Open the Designer and select the Base Data tab.
2. Select Configuration parameters, and then select Edit configuration parameters in the Tasks pane.
To upgrade existing components from Quest Once Identity Manager to Quest One Identity Manager Data Governance Edition, you must enable the Data Governance (QAM) components in the Designer before running the Configuration wizard.
15
3. Expand Target System | ADS | QAM.
5. Click Save on the confirmation dialog box.
6. Select the Database menu, then compile database and follow the Configuration Wizard. 7. Run the Quest.Titan.Client.Q1IM.UpgradeConfigurationWizard.exe.
8. Select the database server type where the Quest One Identity Manager database is installed and enter the required connection information.
17
9. Enter the fully qualified domain name of the computer where the Data Governance server ser-vice is or will be installed. If this is a first time installation for the Data Governance server, click
Deploy to install the Data Governance server service on the specified computer.
10. Select the database where you would like to install the Data Governance resource activity da-tabase, and specify the required connection information.
11. Specify any additional information required for creating the Data Governance resource activity database.
12. Wait while the Data Governance resource activity database is created and the Data Governance server is configured and click Finish.
Quest One Identity Manager 6.0 Data Governance Edition is now ready for use. For details on configuration options, see Configure Data Governance Components on page 55.
19
Install Quest One Identity Manager Data
Governance Edition
To install Identity Manager Data Governance Edition
1. On a Windows Workstation, run the Quest One Identity Manager Autorun, select the Compo-nents tab, and choose Complete Installation to install the Administration tools including the Data Governance User Interfaces and appropriate services.
2. Accept the license agreement, and click Install.
You can now use the Configuration Wizard to create the Identity Manager Database Service and deploy and configure the Data Governance Server.
3. Select the Run Configuration Wizard and click Finish. For details, see Create the Identity Manager Database, and Deploy the Data Governance Server and Activity Database from the Configuration Wizard on page 21.
Configure Quest One Identity Manager
Components
For a fully functional Identity Manager setup, you need to:
• Create and configure the Identity Manager database and deploy the Data Governance Server and Activity database
• Synchronize Quest One Identity Manager with target systems (Active Directory and Share-Point) so that users can access data.
• Install the Web Portal so that users can access data from the self-service web site.
• Map Employees to the application roles required to perform Data Governance operations within the system.
21
Create the Identity Manager Database, and
Deploy the Data Governance Server and
Activity Database from the Configuration Wizard
The following procedure describes the steps required to create the Identity Manager Database Service (for configuration details, see Configure the Identity Manager Service on page 27) and deploy the Data Governance Edition components.
To setup the required components
1. In the Configuration Wizard, select Create and install database, and click Next.
This procedure will highlight an SQL installation.
2. Select the database system, enter the connection information, and click Next.
It is recommended to use SQL Server System Administrator account. Do not use Windows Au-thentication.
3. Enter a name for the database leaving all other settings as the default. In the Installation source field, browse to and select the Quest One Identity Manager Autorun.exe file, and click Next.
Identity Manager Data Governance Edition requires a number of “modules” to be enabled in order to provide the proper connectivity to Active Directory, File System, and SharePoint as well as presenting IT and business functions throughout the product.
23
4. Select Data Governance Edition, and expand the Target system Connectors.
5. Select Microsoft Active Directory and the sub-entry Microsoft SharePoint 2010, and click
Next.
You are now ready to define customer data and create the administrative user accounts for the database connection.
cus-tomer-specific content.
7. Provide one or several customer Identity Manager System administrator user accounts/pass-words.
These system accounts have the same permissions as the default Quest-provided viAdmin ac-count which should not be customized (except for the password).
The task to install and compile the database will take approximately 30 minutes to run.
8. Click Next once the compile has completed.
9. Select the Skip service installation option to skip the configuration of the Identity Manager Database service, and click Next. The configuration of the Identity Manager database service can be performed once you have completed this wizard. See Configure the Identity Manager Service on page 27 for details.
25
You are now ready to configure the Data Governance components.
10. Enter the DNS name of the server where the Data Governance server will be installed and the port it will communicate on, and select Deploy. When the deployment has completed, click
Finish, then click Next.
You are now ready to configure the Data Governance Activity Database.
11. Enter the information for the SQL server where Quest One Identity Manager was installed and where the Data Governance Activity Database will be installed, and click Next.
12. Enter the database options, and click Next.
The default values can be used.
13. Once the Data Governance server and database have been installed, click Next.
14. Click Finish to complete the Configuration Wizard.
15. Log on to the server where the Autorun setup was completed, open the Services console, and select the Quest One Identity Manager Service. Change the Log On for the Quest One Identity Manager Service to the account to be used to connect to the database.
27
Configure the Identity Manager Service
To configure the Identity Manager Service
1. Select Start | All Programs | Quest Software | Quest One Identity Manager | Config-uration | Designer.
When you open the Designer, you must first connect to the database.
2. Enter the Administrator user account and password, and click Connect
3. In the Navigation view, select and double-click Base Data.
4. Select the database server from the list of job servers, and select Edit Job server from the Tasks list.
5. From the Server mask option, include Identity Manager Service Installed, then select the Iden-tity Manager Service Configuration tab.
6. Select Process collection from the module list, and click Insert.
7. Select the MSSqlJobProvider module and click OK.
8. Select the new MSSqlJobProvider module from the list, highlight the Connection string entry, There is an option to install a standalone Server Service from the Autorun. It is not recom-mended to install this option on a computer where you have Quest One Identity Manager in-stalled. If you do, it will not only add the service, but also remove any previously installed management tools such as the Manager and Designer. The standalone Server service installa-tion is intended only for computers without Quest One Identity Manager management tools.
and click Edit.
9. Enter the parameters for connecting to the newly installed Quest Once Identity Manager data-base, and click OK.
10. Select the Job Destination module, and click Insert. Select the JobServiceDestination
module, and click OK.
11. Select the Log writer module, and click Insert. Select the FileLogWriter module, and click
OK.
12. Select the Plugins module, and click Insert. Select the HttpStatusPluigin module, and click
OK.
To test your settings and ensure you are accessing the database server correctly, select your database from the list instead of typing it in. If your database is available, then server, user and password values entered are correct.
29
exists, overwrite it.
14. Click the Commit to database button on the Designer’s tool bar. 15. On the Save changed object to the database screen, click Save.
16. From the server Services console, confirm that the Quest One Identity Manager Service is start-ed. To ensure the new configuration is applied, restart the service.
Synchronize Active Directory with Identity Manager
To synchronize Active Directory
1. Select Start | All Programs | Quest Software | Quest One Identity Manager | Manager.
2. Enter the Administrator user account and password to connect to the Identity Manager data-base, and click Connect.
3. In the Navigation view, select My Identity Manager.
4. Select Target system wizards | Configure Active Directory.
5. Read the Welcome information, and click Next.
6. Enter the domain name (pre-windows format), and click Next.
7. Enter in the full domain name (DNS format) and administrator username and password.
The Parent domain is not a required field.
8. Use the default values for the Provider and Authentication, and click Next.
9. Select No for Should the domain users be managed using a user account resource, and click
Next.
10. On the Destination Server page, select Create new server, and enter in the name of your domain controller (leave the port as 389).
11. On the Synchronization server page, select Use existing synchronization server, select the server where the Job Server is installed, and click Next.
31
12. When the import domain data process completes, click Next.
13. Create the synchronization schedule by clicking the + button.
14. Click Enabled and select your time zone and duration; select to make it for an unlimited du-ration and select a start date of today; select your occurrence (every 60 minutes for example), click OK and Next.
15. Click Next to begin the synchronization.
To ensure it was successful, open the Identity Manager and select Active Directory in the Nav-igation view and browse the different nodes to verify Active Directory objects are present.
Set up Connectivity with SharePoint
To have Quest One Identity Manager connected to a SharePoint server, you need to:
• Perform an Active Directory synchronization. For details see, Synchronize Active Directory with Identity Manager on page 29.
• Make Quest Once Identity Manager aware of the server by registering it. • Enable processes by creating and configuring the Job Server Service for it.
Register the Server with Quest One Identity Manager
Once Active Directory has been synchronized, all the servers in your domain will be visible in the follow-ing location.
To view your servers
1. Select Start | All Programs | Quest Software | Quest One Identity Manager | Identity Manager.
2. Enter the Administrator user account and password to connect to the Identity Manager data-base, and click Connect.
3. In the Navigation view, select Active Directory and browse to the Server node.
The systems in the Server folder are those identified during the Active Directory synchroniza-tion. The SharePoint server is located in the “Server hardware without server” folder.
Before you can create and configure the Job Server Service, you need to elevate the SharePoint server to the Server folder.
To elevate the server
1. Select Start | All Programs | Quest Software | Quest One Identity Manager | Identity Manager.
2. Connect with the viadmin user account and password.
3. In the Navigation view, select Active Directory and browse to the Server node. 4. Click the + button and enter the name of the server hosting SharePoint.
5. Select Language English.
6. Select the AD container where the computer is located. 7. Click Hardware and locate the SharePoint server. 8. Click Save.
33
Create and Configure the Job Server for a SharePoint Server
Creating and configuring the Job Server Service on a SharePoint server includes the following: • Install the Job Server service on the SharePoint server
• Configure the Job Server service on the server that hosts the Identity Manager management tools
• Transfer the JobService.cfg file to the SharePoint server • Restart or start the Job Server on the SharePoint server
Install the Job Server Service on the SharePoint Server To install the Job Server Service
• Log on to the SharePoint computer, launch the Quest One Identity Manager Autorun, and select the Components | Server Service.
Configure the Job Server Service for the SharePoint Server
To configure the Job Server Service
1. Select Start |All Programs | Quest Software | Quest One Identity Manager | Designer.
2. Click Base Data, and select Job Server from the Navigation View.
The SharePoint Job Server Service is configured using the same procedure used for configuring the initial Job Server Service in the Designer. Because we elevated the SharePoint server, it will appear in the Base Data, Job server folder.
3. Select the SharePoint Job Server and select Edit Job Server.
4. From the Server mask option, include Identity Manager Service Installed, then select the Iden-tity Manager Service Configuration tab.
5. Select Process collection from the module list, and click Insert.
6. Select the MSSqlJobProvider module and click OK.
This procedure is performed on the server where you have installed the Identity Manager man-agement tools.
7. Select the new MSSqlJobProvider module from the list, highlight the Connection string entry, and click Edit.
8. Enter the parameters for connecting to the newly installed Quest Once Identity Manager data-base, and click OK.
9. Select the Job Destination module, and click Insert. Select the JobServiceDestination
module, and click OK.
10. Select the Log writer module, and click Insert. Select the FileLogWriter module, and click
OK.
11. Select the Plugins module, and click Insert. Select the HttpStatusPluigin module, and click
OK.
You need to transfer the SharePoint Job Server configuration file to the SharePoint server and place it in the following folder: C:\Program Files (x86)\Quest Software\Quest One Identity Manager to overwrite any existing configuration file.
12. Click the Save button in the Identity Manager Service Configuration panel and save the file to the Quest One Identity Manager folder on the SharePoint server. Ensure that you do not save this file to the Quest One Identity Manager folder on the server hosting the management tools. If you do, you will overwrite the configuration file.
13. Click the Commit to database button on the Designer’s tool bar. 14. On the Save changed object to the database screen, click Save.
Restart or start the Job Server on the SharePoint Server
Before you start the Job Server, you need to ensure that the account you are using to run the Job Server service is the same as the SharePoint Timer service.
To perform this check and restart or start the service
1. If the Quest One Identity Manage Service (Job Service) is running, stop it.
To test your settings and ensure you are accessing the database server correctly, select your database from the list instead of typing it in. If your database is available, then server, user and password values entered are correct.
You can save the JobService.cfg file to SharePoint directly during configuration. For example, save the file to:
35
2. Check the SharePoint Timer service account and compare it to the account running the Job Server.
If these accounts do not match, then you need to change the Quest One Identity Manager Ser-vice Properties.
3. To change the Log On As account, right-click the service, and select Properties. Select the
Log On tab and change the setting to use This Account. Enter the account information so it matches the SharePoint Time service account, and click OK.
Once the service account has been set, you can then start the Quest One Identity Manager ser-vice.
browser on the SharePoint Job Server and connect to http:\\localhost:1880\log.
Red text indicates a problem. Note: Be sure to check the data and time to ensure the message is recent. The most common issue is the JobService.Initialize or an initialization string error. These issues can be corrected through the Job Service Configuration utility.
On the SharePoint Job Server, select Start | All Programs | Quest Software | Quest One Identity Manager | Target Systems | Job Service Configuration. Configure the Service with the values used to configure the Identity Manager Service.
Save you updates. You can test the new connection using the Verify option on the File menu.
5. Restart the Quest One Identity Manager Service.
The SharePoint Job Server is now configured and should be seen in the Job Info Queue.
You are now ready to perform a SharePoint synchronization.
Synchronize SharePoint with Identity Manager
Before you can proceed, you need to know your connection string. In the Registry on the SharePoint server, browse to Software | Microsoft | Shared Tools | Web Server Extensions | 14.0 | Secure | ConfigDB | key = DSN. Copy the string. (This can also be done from Central Admin – farm configu-ration database connection string.)
37
3. In the Navigation view, select SharePoint and the Farms node. 4. In the Result list, click the + button to add a SharePoint farm. 5. On the General tab, enter a name and display name for the farm. 6. Select to have it synchronized by Identity Manager.
7. Paste the configuration database connection string in the Connection parameter field. 8. Select the domain where the farm is located.
9. Enter and confirm the password.
This is the farm passphrase created during SharePoint configuration.
10. Click Save.
11. Select the Synchronization tab and select the Job Server on the SharePoint server. 12. Click Save.
You now need to check the account access.
13. On the SharePoint server, open the Service running as the farm account.
14. In the Services console, check the SharePoint 2010 Timer service credentials. Ensure that the account can access the Quest One Identity Manager database, through the sysadmin server role. If required, you can add the role through the SQL Server Management Studio. Use the
same credentials as the Quest One Identity Manager Service.
15. Restart the service.
You are now ready to configure and run the synchronization.
16. Return to the Quest Once Identity Manager server and open the Manager.
17. In the Navigation view, select SharePoint and the Farms node. Select the previously created farm.
18. In the Task list, select Load the Mapping rules.
19. Click OK in the confirmation dialog. 20. In the Task list, select Load the Schema.
21. Click OK in the confirmation dialog.
Ensure that the job queue tasks schema and mapping ran by monitoring job queue before per-forming the synchronization.
22. Select the farm, and in the Task view select Configure Synchronization.
23. Click the + button.
24. Enter a name, select Full Synchronization, and click OK.
25. Save your changes.
26. Click the + button (to the right of schedule).
27. Enter a name, select Enable, then select the time zone, start date, and unlimited duration.
28. Save your changes.
39
Configure SharePoint to Track Resource Activity
To gather and report on resource activity in SharePoint, you must ensure that SharePoint native audit-ing is properly configured for any resources of interest. You can also optionally install the Quest Share-Point Auditing Monitor farm solution to obtain activity for events not available in the native ShareShare-Point auditing system.
Configuring Auditing on SharePoint Farms
You can enable auditing at different levels in the SharePoint farm. It is recommended that you enable auditing at the site collection level to ensure all events are collected. The methods available for config-uring auditing vary depending on the SharePoint edition installed. In some cases, you can use Central Administration; in all cases you can use PowerShell. It is recommended that you enable all SharePoint native events to ensure maximum coverage for data governance activities, but you may choose a smaller set to improve performance if necessary.
Consult your Microsoft documentation for complete information on configuring auditing.
Installing the Quest.SharePoint.Auditing.Monitor Farm Solution
If you install the SharePoint farm solution, you can supplement the events captured by native auditing. Install “Quest.SharePoint.Auditing.Monitor.wsp” from the agent installation folder (by default Program Files\Quest Software\Data Governance\Agent Service.) Consult your Microsoft documentation for infor-mation on installing a farm solution.
This farm solution captures some events that are unavailable through native SharePoint auditing, spe-cifically:
• Adding a folder • Adding a library
• Renaming a list or library • Creating a site
• Moving a site
Mapping SharePoint Events to Data Governance Events
When you track resource activity using Data Governance, the results appear in views, reports, and dashboards. To simplify things, SharePoint events are grouped for easier reporting. The following table outlines the events you will see your reports, and the corresponding SharePoint events.
You must enable SharePoint native auditing. The farm solution is not a replacement for native auditing, it is an enhancement.
Data Governance Events
DATA GOVERNANCE EVENTS NATIVE SHAREPOINT EVENTS
Create Undelete
Item copied Item added
Install the Web Portal
Before installing the Web Portal, IIS must be configured with the following minimum settings.
To configure IIS for the Web Portal installation
1. Select Start | Administrative Tools | Server Manager.
2. In the Server Manager, expand Roles, and then click Web Server (IIS). In the Web Server (IIS) pane, scroll to the Role Services section, and click Add Role Services.
The Add Role Services dialog box opens.
Move Item moved
Item restored from Recycle Bin Item renamed
Read Checkout
View
Security Change Audit mask change
Inheritance breakage Inheritance restore Permission level granted Permission level revoked
Write Item checked in
Item updated Version deletion Version restored Item updated Attachment added
Data Governance Events
41
3. Ensure the following role services are enabled.
4. Select ASP.NET. In the Add Role Services dialog box, click Add Required Role Services.
43
7. Click Close to complete the process.
To install the Web Portal
1. Select Start | All Programs | Quest Software | Quest One Identity Manager | Config-uration | Web Installer.
2. Select to install a new application and click Next.
3. Connect to the database by entering the Quest One Identity Manager Administrator account and password, and click Next.
45
4. In the Select setup target page, accept all default settings.
5. Select the icon beside the “Authentication for sub project is missing” warning to add the re-quired authentication.
The database login screen opens.
7. The user account should be entered by default as the Quest One Identity Manager Administra-tor account. If not, then add the account. Enter the password, and click Connect.
47
8. Once all warnings are clear, select Next.
If you get the following error, you need to ensure that you have installed the Windows authen-tication role service for the web. See step 2 in this procedure.
For information on Windows authentication role services required for different software ver-sions, see http://www.iis.net/ConfigReference/system.webServer/security/au-thentication/windowsAuthentication.
9. In the Applications to install window, accept the default entries, and select Next.
There are two web sites included in this install – English and German. When you log in to the Web Portal, you can select the language you want to use. This directs the login to the correct
web site.
A dialog box opens with the Web Portal web site address. Note this address to log on to the Web Portal.
10. Click OK to begin the installation.
While the two web sites have been installed, the application will try to verify the application start up. This process may take a long time. You can select Cancel to end this process if
re-49
quired. This does not appear to harm the Web Portal install.
11. Click Next (or Cancel) to complete the setup process. 12. Click Finish.
To log on to the Web Portal
1. Open a browser and enter the web page created during the installation. 2. Log in with an appropriate account.
Troubleshoot Web Portal Issues
Open a browser and enter the web page created during the installation.
If the default web site does not work, enter the following URL: http://servername/IdentityManager. Where “servername” is the server where you installed the Web Portal.
If you receive the following error, it means a System Configuration parameter has not been enabled correctly.
51
To avoid the problem: When installing through the ‘old’ DB Installer, ensure that the parameters are as shown below:
To solve the issue on the current install: Open the Designer and navigate to Base Data | Configuration Parameters and select Edit Configuration Parameters. Set the proper parameters then commit to database then Recompile Database.
Browse the Web Portal from a Windows Server
When using a Windows Server to browse to the Web Portal, you need to disable IE Enhanced Security Setting (ESC).
To set up IE to browse the Web Portal
1. Select Start | Administrative Tools | Server Manager.
2. Select Configure IE ESC.
53
Map Employees to Data Governance Application Roles
For employees to access the full range of Data Governance features, you need to grant the appropriate application roles.
The following application roles are specifically for Data Governance. They are to be used in conjunction with Quest One Identity Manager application roles.
• Data Governance\Access Managers
Members of this role can access all information related to Data Governance, and can query in-formation from Data Governance agents. Additionally, they can modify the security of objects contained on managed hosts.
• Data Governance\Administrators
Members of this role can perform all administrative tasks necessary for the management of Data Governance. This includes deploying and configuring managed hosts, managing data ac-cess, editing security, and placing data under governance.
• Data Governance\Business Owner
Members of this role can view information on resources they own. • Data Governance\Direct Owners
This role is held by accounts and roles marked as the owners of resources within Data Gover-nance.
To assign application roles
1. In the Quest One Identity Manager Navigation view, select Employees.
2. In the Results list, select the required employee.
3. In the Task view, select Assign Identity Manager application roles.
55
Configure Data Governance Components
You need to perform the following Data Governance-specific setup and configuration procedures: • Identify the domains that you want to access and provide the credentials that can perform
op-erations on those resources.
• Select the domains that contain the computers and data that you want to manage. • Add the hosts that hold the resources that you want to manage.
Readying Service Accounts and Domains for
Deploy-ment
Before you can gather information on the data in your enterprise, you must:
• Add and assign the credentials (service accounts) to ensure that you can access resources on the computers within the domain.
• Select the domains that contain the computers hosting data that is of interest to you.
To add a service account
1. In the Data Governance Navigation view, right-click Service accounts, and select New. 2. In the Change master data form, select the Active Directory account, and enter the password
and comments. 3. Save your changes.
Data Governance requires administrative rights over computers in the target domains to scan their computers. This is established through adding domains and assigning a service account.
To enable Data Governance Server to interact with computers in a domain
1. Select Active Directory in the Quest One Identity Manager Navigation view and expand the domains node.
2. Select the required domain, and click Change master data in the Tasks view. 3. Select the Active Directory tab, and select the Data Governance account. 4. Save your changes.
Deploying File Server Managed Hosts
Open the Identity Manager Administration Tool and connect with a Employee mapped to an Active Di-rectory account with Domain Admin privileges.
You have the option of adding a local or remote Windows computer, a Windows cluster, EMC or NetApp devices, or SharePoint farm as a managed host. You can also add multiple managed hosts at once.
To add a managed host with a local agent
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host.
4. Select the General tab, and the computer to scan from the Server list.
You must now decide if you want to enable resource activity tracking for the agent.
5. Select the Resource Activity tab, and configure the resource activity tracking.
6. Select the Aggregation period. As resource activity is continuously tracked, this period is used to group together the results over a period of time.
7. To limit network traffic, select Enable activity synchronization window.
8. To excluded accounts and objects from tracking, click the Manage Exclusions button and se-lect the objects to exclude.
a) Select to add or remove users or groups, file extensions or folders to be monitored for re-source activity.
b) Use the Export and Import buttons on their respective tabs to export and import a list of SIDs, file types, or folders to exclude.
For file extensions, you can enter a Category name to group any extensions you add to the exclusions list.
c) Select OK to save the changes.
9. To selectively scan a host, select the Security Index Roots tab, and select Add security in-dex roots from the Tasks view.
For a local host, you need to add and save your changes before you can add a security index root. For a remote host, you need to add and save your changes, then add an agent and save your changes before you can add a security index root.
10. Choose the directory to be scanned and the required agent, and click OK.
Local agents by default scan all local fixed volumes on their host computer.
11. Save your changes.
To add a managed host with a remote agent
1. In the Navigation view, select Managed hosts.
2. In the Tasks view, select Add managed host.
3. Select the Remotely Managed Windows Computer option, and click Add.
For remotely managed hosts, the first remote agent should be added during the host’s initial deployment. You can manually add more remote agents later, if needed.
4. Select the General tab, and the computer to scan from the Server list.
Real-time file system security index updating and Rescan on error are checked by default.
5. Save your changes.
6. Select the Agents tab, and click Add agent in the Tasks view.
7. Select the agent host computer from the Server location list, and select a service account with sufficient permissions to access both the target computer and the agent host. Save the agent data.
An agent requires a service account that has the right to read security information on the
re-When you install a locally managed host, you have the option of automatically installing the agent with the host, or manually installing the agent at a later date. Although it is recom-mended that you install the agent with the host, so you can properly configure it, if you are unable to do so due to a firewall or other security issues, you can manually install it after you set up the managed host. On the Agent Details page, choose External for the deployment method, and then run the Agent.msi file located in the Data Governance installation folder on the locally managed host.
57
More than one remote agent may be configured to scan a managed host provided each agent scans different security index roots. A given security index root can be scanned by only one agent.
10. Select Add security index roots in the Tasks view, select the required roots, and click OK.
11. Save your changes.
The Data Governance server will add the managed host (after it has been added and saved) and deploy the agents (once it has been configured and saved) to scan for information.
Deploying SharePoint Managed Hosts
Ensure that the Data Governance Server has the firewall disabled or that the ports 8721 and 8722 are open so that agents can communicate with it.
Open the Identity Manager Administration Tool and connect with an Employee mapped to an Active Di-rectory Account with Domain Admin privileges.
SharePoint farms are similar to remotely managed hosts in that they require an associated service ac-count, even though they are installed locally on a SharePoint server. Like a locally managed host, you have the option of selectively including and excluding objects to be scanned by its agent.
In the Navigation view, select Data Governance | Service Account. Create a new Service Account and use the appropriate Active Directory account (Use the same credentials as those of the Job Server and SharePoint 2010 Timer service.)
To add a SharePoint managed host
1. In the Navigation view, select Managed hosts. 2. In the Tasks view, select Add managed host. 3. Select SharePoint Farm, and click Add.
4. Select the General tab, and the SharePoint farm to scan from the drop-down list. 5. Select the Agent Details tab, and select the required service account.
6. Select the Scanning Schedule tab to set the time and frequency with which the agent scans the target computer.
You must now decide if you want to enable resource activity tracking for the agent.
7. Select the Resource Activity tab, and configure the resource activity tracking.
8. Select the Aggregation period. As resource activity is continuously tracked, this period is used to group together the results over a period of time.
9. To limit network traffic, select Synchronize only between these times and set the start and end time.
10. To exclude accounts, click the Manage exclusions button and select the accounts to exclude. 11. The default for SharePoint managed hosts is to scan all data roots if no roots are specified. To selectively scan a managed host, select the Security Index Roots tab, and Configure secu-rity index roots in the Tasks view.
12. Select the directory and objects that you want included and excluded from the scan, and the required agent, and click OK.
3
About Quest Software
• About Quest Software
• Contacting Quest Software, Inc.
• Contacting Quest Support
About Quest Software
Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database manage-ment, data protection, identity and access managemanage-ment, monitoring, user workspace management to Windows management. For more information, visit www.quest.com.
Contacting Quest Software, Inc.
Refer to our Web site for regional and international office information.
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who have pur-chased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our Support Portal at: www.quest.com/support.
From our support portal, you can do the following:
• Retrieve thousands of solutions from our Knowledge Base • Download the latest releases and service packs
• Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at www.quest.com/support.
Email [email protected]
Mail Quest Software, Inc.
World Headquarters 5 Polaris Way
Aliso Viejo, CA 92656 USA
