Architecture
This section provides an overview of File Access Manager architecture.
It can be deployed in one of the following deployment models:
-
Simple
-
Cloud-Based
The Cloud-Based deployment model provides a solution for these common use cases:
-
Deploy the File Access Manager Services - the central services that provide the core functionality - in a cloud environment with on-premises collectors that harvest information from target applications.
-
Use this model in non-cloud implementations to scale the Permissions Collection and Data Classification processes to more than a single service per application. This decreases the time for crawling, collecting permissions, and classifying data in large applications.
Administrators can deploy File Access Manager using either deployment model, and can also begin with the Simple model, and later progress to the Cloud-Based model by installing the File Access Manager Message Broker and adding Collectors. Consult a certified implementer before installation to determine the best configuration for your organization.
File Access Manager supports a disaster recovery solution, enabling the administrator to transfer the operation to a backup site if required. See details in the Server Implementation and the Disaster Recovery procedure guides.
Note
When installed in a high-availability environment, RabbitMQ is used to synchronize data between IIS servers, making sure all users see up to date data in our web site. If your installation uses more than one IIS, make sure to install RabbitMQ.
Simple Deployment Model
See Server Services for the description and capability of each service.
Cloud-Based Deployment Model
File Access Manager, can be deployed in a cloud environment with on-premises collectors that harvest information from target applications. This adaptive connectivity model enhances performance and scalability for large sets of data.
The collectors focus on completing the work assigned to them by the File Access Manager Central Permissions Collector and Central Data Classification services. These collectors pass processed information - through the File Access Manager Message Broker (RabbitMQ), which provides secure communication - back to File Access Manager Services. The information is then persisted to the database.
Each application can be processed by as many collectors running in parallel as necessary. When it is no longer necessary to process large amounts of data, such as after the first full analysis of the environment, the data classification capacity can be reduced to manage a relatively smaller number of modifications to sensitive data within the environment.
This adaptive connectivity model allows for the progressive analysis of permissions collection and data classification without having to wait for the complete data set to be processed. Each collector is tasked with processing a small subset of the environment, and as it completes each task, it sends its results (through the File Access Manager Message Broker) back to the File Access Manager Services, which persists it to the File Access Manager database.
As a result, usable information about the file system or other resources becomes available as it is processed, which decreases the time-to-value ratio, since it is no longer required to analyze an entire data set before obtaining useful results.
Disaster Recovery
To support continued service following a natural or human induced disaster, you can install an additional environment in standby mode to be activated if and when required.
Collector Overview
A connector is a micro-service that accesses work items (business resources) through the message broker, connects and retrieves metadata from the target application, and then sends the processed information back to the central service. Connectors communicate with the central services through a third-party messaging broker service (RabbitMQ), which implements a persistent queue.
In a hybrid cloud / on-premise implementation, connectors send data to the cloud through the message broker, which eliminates the need for direct database access from on-premise to the cloud.
Connectors are not mandatory. When the cloud is not being used and/or when horizontal scaling is not required, there is no need to install RabbitMQ. If RabbitMQ is not installed, it is not possible to install Permissions Collection/Data Classification connectors, and the central services act as both the engine and the collector.
Key terms related to the Connector and Collector are defined below.
-
Connector
The collection of features, components, and capabilities that comprise support for an endpoint. -
Collector
Refers only to the “Agent” component or service in a Data Classification and/or Permission Collection architecture. -
Engine
The core service counterparty of such architecture. -
Identity Collector
The logical component used to fetch identities from an identity store and holds the configuration, settings for that identity store, and the relations between these identities. It has no “physical” manifest.
The collection work is performed by the Collector Synchronizer.
Data Classification and Permission collection are the only collectors.
The connector is not the same as a collector.
Connectors are services that connect the to the target applications for:
-
Permissions Collection (PC)
-
Data Classification (DC)
Application > Central Service > Collector Relations
File Access Manager provides an adaptive connectivity model, allowing multiple deployment configurations that fulfill the needs of basic single-site implementations, as well as those of distributed geo-distributed implementations.
The following describe the relationship among applications, Central Permissions Collection/Data Classification services, and Collectors:
-
Multiple Central Permissions Collection/Data Classification services can be installed by the File Access Manager Server Installer.
-
A single File Access Manager application can be associated with a single Central Permissions Collection/Data Classification service.
-
Multiple File Access Manager applications can be associated with the same Central Permissions Collection/Data Classification service.
-
A Permissions Collection/Data Classification Collector is always associated with a single Central Permissions Collection/Data Classification service.
-
Multiple Permissions Collection/Data Classification Collectors can be installed and associated with the same Central Permissions Collection/Data Classification service.
Possible Deployment Options
In the simplest form, an application can be associated with a Central Permissions Collection (PC)/Data Classification (DC) service and without installed Collectors as shown below.
The same application can be extended to use a single Collector if it is a cloud-based implementation. Also, if the application is located in a remote site over a slower network, the Collector can be located closer to the application.
Since each Central Permissions Collection/Data Classification service can serve a single application at a time, it is possible to install multiple Central Permissions Collection/Data Classification services.
Multiple applications can be associated with the same Central Permissions Collection/Data Classification service, such as for small scale applications that can be processed by a single sequential Central Permissions Collection/Data Classification service.
Multiple collectors can be installed and associated with the same Central DC/PC service, which:
-
Improves performance and
-
Reduces the time for Crawl/Permissions Collection/Data Classification processes to run.
Scaling Collectors Horizontally
The installation of multiple collectors reduces the operational time of Crawl/Collect Permissions/Data Indexing. The central DC/PC service distributes the business resources among the collectors by serving them resources through the Message Broker. Each collector processes a subset of resources. As each task completes, the collector sends results back through the File Access Manager message broker to the File Access Manager services, which persists them in the database.
Since each business resource is an atomic work item, adding more collectors results in near linear-scale performance.