Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Software Requirements
File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.
Permission Requirements
File Access Manager requires different permissions, based on the tasks performed.
The following listing describes the required permissions by File Access Manager task, in addition to the permissions described in sections 4.3, 54, or 6.3:
Activity Monitoring
- Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).
CIFS Access Permissions
Crawling
- Requires a user with Share Read permission to all shares.
Permission Collection
-
Requires a user with Share Read permission to all shares.
-
Enumeration of CIFS Share-Level Permissions - Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).
-
Enumeration of local Users and Groups - Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).
Data Classification
- Requires a user with Share Read permission to all shares.
NFS Access Permissions
Crawling
-
Requires a user with permission to mount all NFS exports on the virtual NFS server.
-
Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.
Permission Collection
-
Requires a user with permission to mount all NFS exports on the virtual NFS server.
-
Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.
Data Classification
-
Requires a user with permission to mount all NFS exports on the virtual NFS server.
-
Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.
NetApp Physical Filer 7-Mode Requirements
-
The monitor server is required to be in the same segment and AD Domain of the NetApp. No firewalls can be in the middle.
-
The Activity Monitor service must run with the dedicated user described in section Physical Filer 7-Mode Permissions.
Physical Filer 7-Mode Policy Definitions
Note
The configuration below is for CIFS filers.
-
To configure monitoring for NFS, repeat step 2 and replace
whitebox_cifs
withwhitebox_nfs
. -
Run the following commands in the NetApp:
options fpolicy.enable on
fpolicy create whitebox_cifs screen
fpolicy options whitebox_cifs required off
fpolicy options whitebox_cifs cifs_disconnect_check on
fpolicy options whitebox_cifs serverprogress_timeout 1
fpolicy options whitebox_cifs reqcancel_timeout 1
fpolicy options whitebox_cifs cifs_setattr on
fpolicy enable whitebox_cifs
-
It is recommended to include only the required volumes to be monitored by fpolicy to reduce load from the NetApp machine.
-
To include only specific volumes to be monitored, run the following command:
fpolicy volume include add whitebox_cifs <vol name>
Note
<vol name>
must be the short volume name as shown in the volume status command, without the /vol/ prefix.
Physical Filer 7-Mode Permissions
To configure required permission for all File Access Manager tasks:
-
Create a dedicated domain user for the filer (for example,
SIQ_<filername>
). This user will be used in the application configuration, and must also be the user running the Activity Monitor service. -
This user must be a member of the Backup Operators and Power Users groups on the NetApp and an administrator on the server running the Activity Monitor service.
-
Run the following commands in the NetApp physical filer to grant the File Access Manager user permissions to access the Ontapi web API.
Replace
<DOMAIN>
with the domain name andsiq_<filername>
with the correct user name:useradmin role add siq_netapp_role -a login-http-admin,api-nfs-exportfs-list-rules,api-cifs-share-list-iter-start,api-cifs-share-list-iter-next,api-cifs-share-list-iter-end,api-cifs-share-acl-list-iter-start,api-cifs-share-acl-list-iter-next,api-cifs-share-acl-list-iter-end,api-qtree-list,api-useradmin-group-list,api-useradmin-user-list,security-api-vfiler,api-system*,api-useradmin-domainuser-list, api-fpolicy-list-info,api-fpolicy-get-policy-options,api-volume-list-info,api-fpolicy-volume-list-info
useradmin group add siq_group -r siq_netapp_role
useradmin domainuser add <DOMAIN>\siq_<filername> -g siq_group,"Backup Operators","Power Users"
Internal Note
Physical Filer 7-Mode Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager Message Broker | Permissions Collector/Data Classification Collector | RabbitMQ | 5671 |
File Access Manager Access | Activity Monitor | File Access Manager Servers | 8000-8008 |
NetApp CIFS Access | Activity Monitor | NetApp | RPC (135 + Dynamic) |
NetApp fpolicy | NetApp filer | Activity Monitor | MSRCP (139) |
NetApp fpolicy | Activity Monitor | NetApp | MSRPC (139) |
NetApp Web API | Activity Monitor/Permissions Collector | NetApp | 443 (https) |
NetAPP NFS Access | Permissions Collector/Data Classification | NetApp | UDP/TCP 111, 2049 (NFSv3) |
NetApp Virtual Filer 7-Mode Requirements
-
The activity monitor server is required to be in the same segment and AD Domain of the NetApp. No firewalls can be in the middle.
-
The Activity Monitor service must run with the dedicated user described in section Virtual Filer 7-Mode Permissions.
Ontapi API Configuration Options
When working with 7-mode, there are two configuration options, which affect how the connector communicates with the NetApp ONTAPI API:
-
A single physical filer: there are no vFilers defined on NetApp, and there’s only one filer.
In this configuration, communications are made directly with the filer.
-
vFilers (Multiple logical filers): there is more than one logical filer defined on the NetApp storage, with the original named vFiler0 (vFiler Zero).
With vFilers, ONTAPI communications pass through vFiler0, and targeted at the correct vFiler using its name.
Virtual Filer 7-mode FPolicy Definitions
-
The configuration below is for CIFS filers. To configure monitoring for NFS, repeat step 2 and replace whitebox_cifs with whitebox_nfs
-
Run the following commands in the NetApp vfiler:
vfiler context vfilername
options fpolicy.enable on
fpolicy create whitebox_cifs screen
fpolicy options whitebox_cifs required off
fpolicy options whitebox_cifs cifs_disconnect_check on
fpolicy options whitebox_cifs serverprogress_timeout 1
fpolicy options whitebox_cifs reqcancel_timeout 1
fpolicy options whitebox_cifs cifs_setattr on
-
To start fpolicy, run:
fpolicy enable whitebox_cifs
-
It is recommended to include only the required volumes to the monitored by FPolicy to reduce load from the NetApp machine.
To include only specific volumes to be monitored, run the following command:
fpolicy volume include add whitebox_cifs <vol name>
Note
<vol name>
must be the short volume name as shown in the ‘volume status’ command, without the /vol/ prefix
Virtual Filer 7-Mode Permissions
To configure the required permission for all File Access Manager tasks:
-
When monitoring a vfiler, File Access Manager uses vfiler tunneling for the NetApp Web API.
-
The tunneling can work if the vfiler and vfiler0 (the physical filer is called vfiler0. "vfiler zero") are in the same domain or vfiler0 can resolve users from the vfiler domain.
-
If vfiler0 is not in any domain or cannot resolve the domain user, create a local user on vfiler0, and follow the steps described in section Configuring a Local NetApp User for the Ontapi API after the Activity Monitor and Permissions Collector installation.
-
Create a dedicated domain user for the filer. This user will be used later in the application configuration, and must also be the user running the Activity Monitor service.
-
siq_<filername>
must be part of the domain. -
In the commands below, replace
<DOMAIN>
with the domain name andsiq_<filername>
with the correct username. -
This user must be a member of the Backup Operators and Power Users groups in the NetApp (the command to add the user to the group is part of the sequence below).
-
This user must be an administrator on the server running the Activity Monitor service.
-
-
Decide if a local user is required on vfiler0 according to the previous sections. If you are not sure, consult with your File Access Manager technical support.
-
If a local user is required, name it SIQ_VFILER0.
-
These commands need to run only once, when the first vfiler is configured. For subsequent vfilers, the role and group will be present and this step can be skipped.
-
Run the commands below in the NetApp vfiler0 (vfiler zero) to grant the File Access Manager user permissions to access the Ontapi Web API.
-
Replace
with the domain name and siq_ with the correct user name: useradmin role add siq_netapp_role -a login-http-admin,api-nfs-exportfs-list-rules,api-cifs-share-list-iter-start,api-cifs-share-list-iter-next,api-cifs-share-list-iter-end,api-cifs-share-acl-list-iter-start,api-cifs-share-acl-list-iter-next,api-cifs-share-acl-list-iter-end,api-qtree-list,api-useradmin-group-list,api-useradmin-user-list,security-api-vfiler,api-system*,api-useradmin-domainuser-list, api-fpolicy-list-info,api-fpolicy-get-policy-options,api-volume-list-info,api-fpolicy-volume-list-info
useradmin group add siq_group -r siq_netapp_role
vfiler context vfiler0
useradmin domainuser add <DOMAIN>\siq_<filername> -g siq_group,"Backup Operators","Power Users"
-
-
If this is the first vfiler added for monitoring, a local user is needed. Run the following command:
useradmin user add siq_VFILER0 -g siq_group
Note
If this is NOT the first vfiler added for monitoring then the user is present and is associated with the group. This step can be skipped.
-
After the command is completed, assign a password for the local user.
Configuring a Local NetApp User for the Ontapi API
Note
Make sure you have the password for the NetApp local user created as explained in the Permissions section
-
Go to the File Access Manager installation folder on one of the File Access Manager central servers.
-
Open the folder "%SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\EncryptStringForService".
-
Copy the content of the folder to the server on which the Activity Monitor service is installed.
-
Run EncryptStringForService.exe [password to encrypt].
-
Copy the output of the command.
Activity Monitor
-
Go to the Activity Monitor installation folder
-
Edit the Activity BAMFramework.exe.config.
-
Enter the name of the user in the alternativeUserName key:
<add key="alternativeUserName" value="local user name"/>
-
Paste the output of the command copied in Section 5 into the value of the alternativeUserPassword key:
<add key="alternativeUserPassword" value="encrypted password from step 4"/>
-
Restart the Activity Monitor service.
Permission Analysis
-
Go to the Permission Analysis installation folder.
-
Edit the RoleAnalyticsServiceHost.exe.config.
-
Enter the name of the user in the netAppApiPassword key:
<add key="netAppApiUser" value="local user name"/>
-
Paste the output of the command copied in Section 5 into the value of the netAppApiPassword key:
<add key="netAppApiPassword" value="encrypted password from step 4"/>
Required Data for Creating a NetApp Application
-
CIFS Server name
-
VFILER IP address
-
VFILER name
- An internal name, usually the same as the normal vfiler host name
-
Local user name and password
- If the vfiler0 (vfiler zero) is not in any domain or cannot resolve the user
Physical Filer 7-Mode Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager | Permissions Collector/Data Classification Collector | RabbitMQ | 5671 |
File Access Manager Access | Activity Monitor | File Access Manager Servers | 8000-8008 |
NetApp Access | Activity Monitor / Permissions Collector / Data Classification | NetApp VFILER | MSRPC (135 + Dynamic) |
NetApp fpolicy | NetApp VFILER | Activity Server | MSRCP (139) |
NetApp fpolicy | Activity Monitor | NetApp VFILER | MSRPC (139) |
NetApp Web API | Permissions Collector / Activity Monitor | NetApp VFILER ZERO | 443 (https) |
NetApp NFS Access | Permissions Collector | NetApp VFILER | UDP/TCP 111, 2049 (NFSv3) |
NetApp 8.2+ Cluster Mode Requirements
According to the NetApp Architecture and File Access Manager section, each Vserver is represented as a single Application in File Access Manager. If multiple Activity Monitor services are installed on the same server, each Application must be configured with a unique dedicated port, which is the port the Activity Monitor receives the FPolicy communication.
Important
The monitor server is required to be in the same segment. No firewalls can be in the middle.
-
Create a domain user for the monitor: For example, siq_vservername.
Small lowercase is recommended.
-
Verify the case in which the user name is written AD.
This field is case sensitive.
-
Each Vserver requires its own monitor installed.
Cluster Mode FPolicy Definitions
In the commands below, replace the parameters with the required values:
-
[vserver_name] - The name of the vserver.
-
[monitors server ip] - The ip address of the server where the Activity Monitor service is installed.
-
[port number] - The port number configured in the Application configuration wizard in section 7.
-
[volume names to include] - Replace with * if all volumes need to be monitored, or enter a list of volumes to monitor.
-
[running number] - A sequential number of the policy in the policy hierarchy. If no FPolicy is defined, this should be 1.
To configure FPolicy for CIFS:
fpolicy policy event create -event-name siq_cifs_events -protocol cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -vserver [vserver_name] -filters first-read, first-write, open-with-delete-intent
fpolicy policy external-engine create -vserver [vserver_name] -engine-name siq_cifs_engine -primary-servers [monitors server ip] -port [port_number] -extern-engine-type asynchronous -ssl-option no-auth
fpolicy policy create -vserver [vserver_name] -policy-name wbx_cifs_policy -events siq_cifs_events -engine siq_cifs_engine -is-mandatory false
fpolicy policy scope create -vserver [vserver_name] -policy-name wbx_cifs_policy -volumes-to-include [* or volume names to include]
fpolicy enable -vserver [vserver_name] -policy-name wbx_cifs_policy -sequence-number [running_number]
To configure FPolicy for NFS:
fpolicy policy event create -event-name siq_nfs3_events -protocol nfsv3 -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -vserver [vserver_name]
fpolicy policy event create -event-name siq_nfs4_events -protocol nfsv4 -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -vserver [vserver_name]
fpolicy policy external-engine create -vserver [vserver_name] -engine-name siq_nfs_engine -primary-servers [monitors server ip] -port [port_number] -extern-engine-type asynchronous -ssl-option no-auth
fpolicy policy create -vserver [vserver_name] -policy-name wbx_nfs_policy -events siq_nfs3_events, siq_nfs4_events -engine siq_nfs_engine -is-mandatory false -allow-privileged-access yes -privileged-user-name [domain\user_name]
fpolicy policy scope create -vserver [vserver_name] -policy-name wbx_nfs_policy -volumes-to-include [* or volume names to include]
fpolicy enable -vserver [vserver_name] -policy-name wbx_nfs_policy -sequence-number [running_number]
Note
If multiple activity monitors are installed on the same server, set a unique port per vserver, and replace [port_number] with the value configured in the Application.
Cluster Mode Permissions
-
Create a new role for File Access Manager.
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share access-control" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group show-members" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-user" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-connect" -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-disconnect" -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show-engine" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-group" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-user" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "volume qtree" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "volume" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy scope" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy external-engine" -access readonly -vserver <vserver_name>
Note
<vserver_name>
= The Vserver name configured in NetApp settings.Note
If the File Access Manager Application is configured to use Vserver Tunneling, run these commands at the cluster level without the -vserver parameter. However, if the File Access Manager Application is configured to use the Vserver directly, run these commands at the Vserver level without the -vserver parameter, or at the cluster level with the -vserver parameter.
-
Create a new user for File Access Manager, and assign to the newly created role:
security login create -vserver <vserver_name> -username <domain\user_name> -application ontapi -authmethod domain -role siq_netapp_role_82
Important
Domain and user_name must be configured with the same case as configured in the Application configuration.
Important
The username must be in the same case as defined in Active Directory. This is a known NetApp issue.
-
Add the new user to the Backup Operators security group on each virtual CIFS server.
-
Add the new user to the Power Users security group on each virtual CIFS server.
-
If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):
security login domain-tunnel create –vserver [vserver_name]
Important
If the domain-tunnel cannot be configured, authentication to the NetApp Web API will fail with the Active Directory user configured in the Application configuration.
Note
It is possible to define an alternative local NetApp user to use instead of the user defined in the application configuration. Refer to Configuring a Local NetApp User for the Ontapi API for detailed instructions.
Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager Message Broker | Permissions Collector / Data Classification Collector | RabbitMQ | 5671 |
File Access Manager Access | Activity Monitor | File Access Manager Servers | 8000-8008 |
NetApp Access | Each NetApp Cluster Nodes | Activity Monitor | MSRPC + The port defined in the FPolicy definition (12000, or the specific port defined) |
NetApp Web API | Activity Monitor / Permissions Collector | NetApp Cluster Management IP | 443 (https) |
NetApp NFS Access | Permissions Collector / Data Classification | NetApp | UDP/TCP 111, 2049 (NFSv3) |
NetApp OnTap 9.X Command Template
-
Create a new role for File Access Manager for the CIFS vserver. For example, fam_netapp_role.
-
Replace (v_server) with CIFS vserver from cluster.
-
Replace (cluster) with cluster name.
security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (v_server)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (v_server)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (v_server) -access all
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (v_server) -access readonly
-
Create a new role for file access manager for the cluster (use cluster name for -vserver switch).
security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (cluster)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (cluster)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (cluster) -access all
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (cluster) -access readonly
-
Assign the newly created role to the domain user created for fam (Upper and lower case are important.)
security login create -vserver (cluster) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
security login create -vserver (v_server) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
-
Domain user must be a member of the Backup Operators group on the VServer. Execute the below command for the Vserver you intend to on-board.
vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Backup Operators" -member-names domain\domainAccountFam
-
Domain user to be a member of the Power Users group on the Vserver. Execute the below command for the Vserver you intend to on-board
vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Power Users" -member-names domain\domainAccountFam
-
If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):
security login domain-tunnel create -vserver (v_server)
-
CIFS Access:
-
User account should have Share Read permission to all shares.
-
Requires a user with Share Read permission to all shares
-
Should be able to enumerate CIFS Share-Level Permissions
-
Should be able to enumerate local Users and Groups
-
-
Domain user must be an administrator (local administrator) on the server running the Activity Monitor service.
-
Execute the commands to configure a fpolicy for CIFS server.
fpolicy policy event create -event-name fam_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent
Note
IP for the SailPoint Activity Mornitor server should be used in place of x.x.x.x.
fpolicy policy external-engine create -vserver (v_server) -engine-name fam_cifs_engine -primary-servers x.x.x.x -port 12000 -extern-engine-type asynchronous -ssl-option no-auth
fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events fam_cifs_events -engine fam_cifs_engine -is-mandatory false
fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *
fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1