PowerScale Connector Prerequisites
Verify your system fits the descriptions below before starting the installation.
Pre-software Requirements
EMC PowerScale Isilon - OneFS 7.1 to OneFS v9.7.0.0
EMC Common Event Enabler - CEE 6.5 and above
Configuring the CEE Service
-
On every CEE server, open the registry and perform the following changes:
[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]
Endpoint=whitebox@<Data Access Security virtual appliance node ip address>
Enabled=1
Note
Type is REG_DWORD.
-
Restart the EMC CEE service.
Note
If multiple virtual appliances in the activity monitoring virtual appliance cluster exist, the list should look like: whitebox@ip, whitebox@ip, ...
Enabling CEE using PowerScale OneFS WebUI
- Select Cluster Management, then Auditing.
- Click Enable Protocol Access Auditing.
- Add Access Zone(s) you want to audit.
Event Forwarding - Enter the uniform resource identifier (URI) where the CEE service is installed. The format of the entry is:
http://[fully.qualified.domain.name/IP]:[port]/cee
Example: http://172.17.40.251:12228/cee
Note
https
is not currently supported.
Port - The default is 12228
Storage Cluster - Provide a name for the cluster. This can be empty.
Enabling and Configuring Auditing the CLI
To enable auditing - isi audit settings global modify --protocol-auditing-enabled on
To disable auditing - isi audit settings global modify --protocol-auditing-enabled off
Add access zone to audit - isi audit settings modify --audited-zones <ZONE>
View audit settings - isi audit settings global view
Audit Event Configuration Using CLI
To enable specific audit events - isi audit settings modify --audit-success create, rename, delete, read, write, get_security, set_security
To enable all audit events - isi audit settings modify --audit-success all
To monitor all the activities listed under the Monitored Activates section - Enable all audit events
Required Permissions
Data Access Security requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the Access Zone:
- Share Read permissions to all share
- Member of the local Administrator group
- Member of the local Backup Operators group
- Ability to list shares
Add required permissions by creating a new role and associating the user with that role in one of the following ways:
Add Permissions via the Cluster Management Web Interface
- Log in to the OneFS Cluster Management Web interface.
- Select Access > Membership and Roles.
- Select the Roles tab.
- Select Create Role.
- Enter a name for the Role (ex. DataAccessSecurity)
- Select Add a member to this role and add the Data Access Security user which will be used in the Application Configuration wizard.
- Scroll down and select Add a privilege to this role and add the following privileges:
- ‘Platform API: Log in to the Platform API and WebUI’ – read_only Access
- Auth: Configure Identities and authentication sources – read_only Access
- Audit: Configure audit capabilities – read_only Access
- SMB: configure SMB server – read_only Access
Add Permissions via the Cluster Management Shell
Run the following commands from the cluster management shell:
isi auth roles create DataAccessSecurity
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_LOGIN_PAPI
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_SMB
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_AUTH
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_AUDIT
isi auth roles modify DataAccessSecurity --add-user=’<domain>\<user>’
Add Permissions via Built-in Roles
Associate the user with the SystemAdmin and SecurityAdmin built-in roles.
isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’
isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’
Permissions Required for each Data Access Security Task
The user must have the permissions listed below in order to perform these tasks:
Crawling
- Share Read permissions to all the shares on the file server.
- Be a member of the local Administrator group on the Access Zone.
Permission Collection
- Share Read permissions to all the shares on the Access Zone.
- Be a member of the local Backup Operators group on the Access Zone.
- Be a member of the local Administrators group to read the Share Permissions.
- Permissions to the OneFS Platform API to read the local Users and Groups.
Data Classification
- Share Read permissions for all the shares on the Access Zone.
- Be a member of the local Backup Operators group on the Access Zone.
Activity Monitoring
- Ability to list shares.
- Share Read permissions to all the shares on the file server.
- Be a member of the local Backup Operators and local Administrator group on the Access Zone.
- If enabling of OneFS the additional permission of PAPI access for configured user (requires proper license).
Configuring PowerScale with Data Access Security
- If utilizing separate IP address ranges assigned to each access zone, each access zone should have its own separate Data Access Security application.
- If utilizing a single IP address range assigned to the System access zone or a single overarching access zone, then the System/main access zone should be the target of a single application in Data Access Security.
Communication Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
EMC CEE | EMC PowerScale / Isilon cluster | CEE Service | 12228 |
OneFS Plaform API | Activity Monitor Virtual Appliance | PowerScale | 8080 |
Activity Monitoring | CEE Service | Activity Monitor Virtual Appliance | 13000 |
Activity Monitoring | Activity Monitor Virtual Appliance | PowerScale | SMB |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.