PowerScale Connector Prerequisites

Verify your system fits the descriptions below before starting the installation.

Pre-software Requirements

EMC PowerScale Isilon - OneFS 7.1 to OneFS v9.7.0.0

EMC Common Event Enabler - CEE 6.5 and above

Configuring the CEE Service

On every CEE server, open the registry and perform the following changes:

[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]

Endpoint=whitebox@<Data Access Security virtual appliance node ip address>

Enabled=1

Note

Type is REG_DWORD.
Restart the EMC CEE service.

Note

If multiple virtual appliances in the activity monitoring virtual appliance cluster exist, the list should look like: whitebox@ip, whitebox@ip, ...

Enabling CEE using PowerScale OneFS WebUI

Select Cluster Management, then Auditing.
Click Enable Protocol Access Auditing.
Add Access Zone(s) you want to audit.

Event Forwarding - Enter the uniform resource identifier (URI) where the CEE service is installed. The format of the entry is:

  http://[fully.qualified.domain.name/IP]:[port]/cee

  Example: http://172.17.40.251:12228/cee

Note

https is not currently supported.

Port - The default is 12228

Storage Cluster - Provide a name for the cluster. This can be empty.

Enabling and Configuring Auditing the CLI

To enable auditing - isi audit settings global modify --protocol-auditing-enabled on

To disable auditing - isi audit settings global modify --protocol-auditing-enabled off

Add access zone to audit - isi audit settings modify --audited-zones <ZONE>

View audit settings - isi audit settings global view

Audit Event Configuration Using CLI

To enable specific audit events - isi audit settings modify --audit-success create, rename, delete, read, write, get_security, set_security

To enable all audit events - isi audit settings modify --audit-success all

To monitor all the activities listed under the Monitored Activates section - Enable all audit events

Required Permissions

Data Access Security requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the Access Zone:

Share Read permissions to all share
Member of the local Administrator group
Member of the local Backup Operators group
Ability to list shares

Add required permissions by creating a new role and associating the user with that role in one of the following ways:

Add Permissions via the Cluster Management Web Interface

Log in to the OneFS Cluster Management Web interface.
Select Access > Membership and Roles.
Select the Roles tab.
Select Create Role.
Enter a name for the Role (ex. DataAccessSecurity)
Select Add a member to this role and add the Data Access Security user which will be used in the Application Configuration wizard.
Scroll down and select Add a privilege to this role and add the following privileges:
1. ‘Platform API: Log in to the Platform API and WebUI’ – read_only Access
2. Auth: Configure Identities and authentication sources – read_only Access
3. Audit: Configure audit capabilities – read_only Access
4. SMB: configure SMB server – read_only Access

Add Permissions via the Cluster Management Shell

Run the following commands from the cluster management shell:

isi auth roles create DataAccessSecurity
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_LOGIN_PAPI
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_SMB
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_AUTH
isi auth roles modify DataAccessSecurity --add-priv-ro=ISI_PRIV_AUDIT
isi auth roles modify DataAccessSecurity --add-user=’<domain>\<user>’

Add Permissions via Built-in Roles

Associate the user with the SystemAdmin and SecurityAdmin built-in roles.

isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’
isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’

Permissions Required for each Data Access Security Task

The user must have the permissions listed below in order to perform these tasks:

Crawling

Share Read permissions to all the shares on the file server.
Be a member of the local Administrator group on the Access Zone.

Permission Collection

Share Read permissions to all the shares on the Access Zone.
Be a member of the local Backup Operators group on the Access Zone.
Be a member of the local Administrators group to read the Share Permissions.
Permissions to the OneFS Platform API to read the local Users and Groups.

Data Classification

Share Read permissions for all the shares on the Access Zone.
Be a member of the local Backup Operators group on the Access Zone.

Activity Monitoring

Ability to list shares.
Share Read permissions to all the shares on the file server.
Be a member of the local Backup Operators and local Administrator group on the Access Zone.
If enabling of OneFS the additional permission of PAPI access for configured user (requires proper license).

Configuring PowerScale with Data Access Security

If utilizing separate IP address ranges assigned to each access zone, each access zone should have its own separate Data Access Security application.
If utilizing a single IP address range assigned to the System access zone or a single overarching access zone, then the System/main access zone should be the target of a single application in Data Access Security.

Communication Requirements

Requirement	Source	Destination	Port
EMC CEE	EMC PowerScale / Isilon cluster	CEE Service	12228
OneFS Plaform API	Activity Monitor Virtual Appliance	PowerScale	8080
Activity Monitoring	CEE Service	Activity Monitor Virtual Appliance	13000
Activity Monitoring	Activity Monitor Virtual Appliance	PowerScale	SMB

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.