Integrate your Active Directory with Cloud Data Sense

Contributors netapp-tonacki

You can integrate a global Active Directory with Cloud Data Sense to enhance the results that Data Sense reports about file owners and which users and groups have access to your files.

When you set up certain data sources (listed below), you need to enter Active Directory credentials in order for Data Sense to scan CIFS volumes. This integration provides Data Sense with file owner and permissions details for the data that resides in those data sources. The Active Directory entered for those data sources may be different than the global Active Directory credentials you enter here. Data Sense will look in all integrated Active Directories for user and permission details.

This integration provides additional information in the following locations in Data Sense:

  • You can use the "File Owner" filter and see results in the file’s metadata in the Investigation pane. Instead of the file owner containing the SID (Security IDentifier), it is populated with the actual user name.

  • You can see full file permissions for each file when you click the "View all Permissions" button.

  • In the Governance dashboard, the Open Permissions panel will show a greater level of detail about your data.

Note Local user SIDs, and SIDs from unknown domains, are not translated to the actual user name.

Supported data sources

An Active Directory integration with Cloud Data Sense can identify data from within the following data sources:

  • On-premises ONTAP systems

  • Cloud Volumes ONTAP

  • Azure NetApp Files

  • FSx for ONTAP

  • Non-NetApp CIFS file shares (not for NFS file shares)

There is no support for identifying user and permission information from Database schemas, OneDrive accounts, SharePoint accounts, Google Drive accounts, Amazon S3 accounts, or Object Storage that uses the Simple Storage Service (S3) protocol.

Connecting to your Active Directory server

After you’ve deployed Data Sense and have activated scanning on your data sources, you can integrate Data Sense with your Active Directory. Active Directory can be accessed using a DNS Server IP address or an LDAP Server IP address.

The Active Directory credentials can be read-only, but providing admin credentials ensures that Data Sense can read any data that requires elevated permissions. The credentials are stored on the Cloud Data Sense instance.

Requirements
  • You must have an Active Directory already set up for the users in your company.

  • You must have the information for the Active Directory:

    • DNS Server IP address, or multiple IP addresses

      or

      LDAP Server IP address, or multiple IP addresses

    • User Name and Password to access the server

    • Domain Name (Active Directory Name)

    • Whether you are using secure LDAP (LDAPS) or not

    • LDAP Server Port (typically 389 for LDAP, and 636 for secure LDAP)

  • The following ports must be open for outbound communication by the Data Sense instance:

    Protocol Port Destination Purpose

    TCP & UDP

    389

    Active Directory

    LDAP

    TCP

    636

    Active Directory

    LDAP over SSL

    TCP

    3268

    Active Directory

    Global Catalog

    TCP

    3269

    Active Directory

    Global Catalog over SSL

Steps
  1. From the Cloud Data Sense Configuration page, click Add Active Directory.

    A screenshot that shows clicking the button to add an Active Directory server into Cloud Data Sense.

  2. In the Connect to Active Directory dialog, enter the Active Directory details and click Connect.

    You can add multiple IP addresses, if required, by clicking Add IP.

    A screenshot of the dialog where you define the Active Directory you want to integrate with Data Sense.

    Data Sense integrates to the Active Directory, and a new section is added to the Configuration page.

    A screenshot showing the new Active Directory integrated in Data Sense.

Managing your Active Directory integration

If you need to modify any values in your Active Directory integration, click the Edit button and make the changes.

You can also delete the integration if you no longer need it by clicking the More button button and then Remove Active Directory.