HDS Connector Overview
Connector Operation Principles
-
File Access Manager Windows DFS application differs from other File Access Manager connectors in that it does not actively monitor activities, collect permissions, or classify data. Instead, it acts as a logical representation of multiple physical applications. It fetches data by mapping DFS logical shares to their corresponding physical target applications shares.
-
The crawler service creates mapping between DFS applications and physical applications.
Note
Windows DFS applications only supports domain-based DFS namespaces.
Note
An application must be configured in File Access Manager for each DFS domain.
Terminology
DFS (Distributed File System) refers to a virtual arrangement of distributed Microsoft servers as a single resources tree.
Refer to the DFS Namespace Overview for more information.
-
DFS Namespace - A virtual view of shared folders on servers provided by DFS. A DFS namespace consists of a root and many links and targets. The namespace starts with a root that maps to one or more root targets. Below the root are links that map to their own targets.
-
Domain-based DFS namespace - A DFS namespace whose configuration information is stored in Active Directory.
-
DFS Link (folder with targets) - A component in a DFS path that lies below the root and maps to one or more link targets.
-
DFS Link Target (folder target) - The mapping destination of a link. A link target can be any UNC path, such as a shared folder or another DFS path.
Monitored Activities
Any activities on shares that are targets of DFS links are “tagged” with an additional field with the logical DFS path and an indication that they are DFS-related. This allows activities to be queried via a DFS application and business resources and to have its DFS logical path displayed.
Any activity type monitored by a physical application, mapped to the DFS application, can also be displayed via the DFS application.
Permissions Collection and Data Classification
DFS are logical resources that only point to the physical folders in which actual data are located. Windows DFS applications do not have Permissions Collection nor Data Classification services.
To display permissions and data classification results, DFS applications redirect their link folders to their mapped targets and display the results collected by their physical applications.
DFS Link Targets Priority
Some DFS links may point to multiple physical shares that are assumed to be replicated. If so, File Access Manager selects prioritized results from one or more physical shares, which is different for each of the following scenarios:
-
Activities - When a link has multiple targets, all physical target resources are queried for activities, since activities are not necessarily replicated consistently across shares.
-
Permissions - When a link has multiple targets, the target with the most recent File Access Manager permission analysis is selected.
-
Data Classification - When a link has multiple targets, the target with the most recent File Access Manager Data Classification analysis is selected.
Manual Matching of Unknown Target Host Names
During a DFS Crawl, the Crawler tries to match target host names to the host names of existing applications in the File Access Manager database.
When the Crawler is unable to match specific hosts, it attempts to match hosts via DNS lookups, and to find valid matching alias names (for example, a host name displayed as an IP address).
If a search cannot find host names or cannot match host name aliases to an existing host in the File Access Manager database, it is possible to configure matching hosts manually.
-
Create an *.xml file with the following structure:
<?xml version="1.0"?>
<mappings>
<key name="hostA">AlternateHostA</key>
<key name="hostB">172.66.12.12</key>
</mappings>
In the example above, “hostA” is a host name of a link target to be matched manually. “AlternateHostA” is the host name to which “hostA” will be matched.
Note
“AlternateHostA” should be a host name of an existing application in File Access Manager.
-
Add the following key to the DFS Permissions Collector’s service app.config.
"<add key="dfsMappings" value="C:\myMappings.xml"/>"
-
Replace
C:\myMappings.xml
with the path that points to the configuration file. -
Restart the DFS Permissions Collector service.
Capabilities
This connector enables you to use File Access Manager to access and analyze data stored in DFS and do the following:
-
Analyze the structure of your stored data.
-
Monitor user activity in the resources.
-
Classify the data being stored.
-
Verify user permissions on the resources, and compare them against requirements.
-
Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
-
Identity collector – collect IAM users, groups and roles and the connections between them.
Refer to the File Access Manager documentation for a full description.
DFS Installation Flow Overview
To install the DFS connector:
-
Configure all the prerequisites.
-
Add a new DFS application in the Business Website.
-
Install the relevant services:
-
Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.
-
Permissions Collector
If you are using EC2 login, the collector should be installed on the EC2 instance.
-
Data Classification Collector
-
Important
Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.