Enterprise Reporter 3.5.1 - Quick Start Guide

Table 10. Permissions required for Enterprise Reporter discoveries on NAS Devices
Discovery Type	Permissions Required for Discovery Credential
NetApp Cluster Mode	Multiple virtual machines belong to a single cluster. All of these virtual machines can be specified as discovery targets. These virtual machines must be part of a domain. The NAS configuration must point to the cluster (name or IP address) with credentials that have read access to the cluster. These would typically be administrator credentials.
NetApp 7 Mode	In NetApp 7 mode, data can be collected on the storage controller or vFilers that are derived from the storage controller. Credentials with read access to the controller and vFiler are required.
NetApp Storage Controller	In NetApp 7 mode, data can be collected on the storage controller or vFilers that are derived from the storage controller. Credentials with read access to the controller and vFiler are required.
NetApp Filer	The vFiler can be a discovery target. In this case, the NAS configuration must point to the storage controller from which the vFilers are derived and the credentials must have read access to the storage controller.
Dell Fluid FS	The discovery target can be any Fluid FS VM. The NAS configuration must be the machine name or IP where Dell Enterprise Manager is installed and credentials must have access to Dell Enterprise Manager.
EMC Isilon	The discovery target can be any Isilon virtual machine. The NAS configuration must be the machine or IP that hosts the OneFS administration site and the credentials must have read access to it. By default, the connection is established using https and, if the connection is not deemed to be secure, the discovery will fail.

Permissions for Enterprise Reporter tenant applications

Enterprise Reporter requires Azure applications for the collection of Azure and Microsoft 365 objects and attributes. These applications must be registered in the Azure portal and consent must be granted for delegated permissions. To manage tenant applications used by Enterprise Reporter, you use the Configuration | Application Tenant Management option.

Azure Active Directory application permissions

For the Azure Active Directory discovery, the Exchange Online discovery, and the collection of nested group members for the OneDrive, Exchange Online, and Azure Resource discovery, an application with a name that begins with “Quest Enterprise Reporter Azure Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Enterprise Reporter Azure discovery application, the following permissions are required:

Table 11. Required permissions
API Name	Permission	Permission Description	Type
Microsoft Graph	User.ReadBasic.All	Read all users' basic profiles	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed in user	Delegated
Microsoft Graph	Directory.Read.All	Read directory data	Delegated
Microsoft Graph	Group.Read.All	Read all groups
Microsoft Graph	IdentityRiskyUser.Read.All	Read identity risky user information	Delegated
Microsoft Graph	SecurityEvents.Read.All	Read your organization's security events	Delegated
Microsoft Graph	User.Read.All	Read all users' full profiles	Delegated
Microsoft Graph	Reports.Read.All	Read all usage reports	Delegated
Microsoft Graph	UserAuthenticationMethod.Read.All	Read all users' authentication methods	Delegated

Collecting user activity information

If you want to collect details about Microsoft 365 user activity, such as which licenses are assigned to a user and dates when a user last used a licensed service, the following delegated permission is required:

•

Microsoft Graph: Read all usage reports

Also, you must clear the Microsoft default setting that anonymizes the user-level data. To include user activity data in the Enterprise Reporter reports, do the following steps:

Open the Microsoft 365 admin center.

Navigate to Settings | Org Settings | Services.

Select Reports.

Clear the Display concealed user, group, and site names in all reports check box.

For more information, see https://learn.microsoft.com/en-US/microsoft-365/troubleshoot/miscellaneous/reports-show-anonymous-user-name

OneDrive application permissions

For the OneDrive discovery, an application with a name that begins with “Quest Enterprise Reporter OneDrive Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter OneDrive Discovery application, the following permissions are required:

Table 12. Required permissions
API Name	Permission	Permission Description	Type
Microsoft Graph	Directory.Read.All	Read directory data	Delegated
Microsoft Graph	Files.Read.All	Read all files that user can access	Delegated
Microsoft Graph	Sites.FullControl.All	Have full control of all site collections	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed in user	Delegated
Office 365 SharePoint Online	MyFiles.Read	Read user files	Delegated

Azure Resource application permissions

For the Azure Resource discovery, an application with a name that begins with “Quest Enterprise Reporter Azure Resource Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Enterprise Reporter Azure Resource discovery application, the following permissions are required:

Table 13. Required permissions
API Name	Permission	Permission Description	Type
Microsoft Graph	User.ReadBasic.All	Read all users' basic profiles	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed in user	Delegated
Windows Azure Service Management API	user_impersonation	Access Azure Service Management as organization users	Delegated

Microsoft Teams application permissions

For the Microsoft Teams discovery, an application with a name that begins with “Quest Enterprise Reporter Microsoft Teams Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter Microsoft Teams Discovery application, the following permissions are required:

Table 14. Required permissions
API Name	Permission	Permission Description	Type
Microsoft Graph	Directory.Read.All	Read directory data	Delegated
Microsoft Graph	User.ReadBasic.All	Read all users' basic profiles	Delegated
Microsoft Graph	Files.Read	Read user files	Delegated
Microsoft Graph	Sites.FullControl.All	Have full control of all site collections	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed in user	Delegated
Microsoft Graph	Group.Read.All	Read all groups	Delegated
Office 365 SharePoint Online	MyFiles.Read	Read user files	Delegated

SharePoint Online application permissions

For the SharePoint Online discovery, an application with a name that begins with “Quest Enterprise Reporter SharePoint Online Discovery” is created. To create this application in your tenant, you must specify an account with administrative access to create applications. The account must have the Global Administrator role to be able to create and consent to the application.

Once created, the application must also be delegated permissions and an administrator must consent to the application’s permissions using the Microsoft consent wizard. For the Quest Enterprise Reporter SharePoint Online Discovery application, the following permissions are required:

Table 15. Required permissions
API Name	Permission	Permission Description	Type
Microsoft Graph	Directory.Read.All	Read directory data	Delegated
Microsoft Graph	Sites.FullControl.All	Have full control of all site collections	Delegated

Minimum permissions for installing Enterprise Reporter

During your first installation, when you install the Enterprise Reporter server, there are two sets of credentials that you need to supply, as well as optional SQL credentials. This table outlines what the credentials are used for, and what permissions they require.

Table 16. Credential Use and Required Permissions
Credentials	Used For	Permissions Needed
Logged in user	Installing the components of Enterprise Reporter	Administrator access on the local computer.
	Creating the Enterprise Reporter database, roles and logins on the SQL Server® (unless SQL credentials are provided)	Must have the right to create databases, logins and groups.
	Creating the security groups	Depends on the type of groups that are chosen, but must have the right to create groups in the chosen environment.
	Securing the Configuration Manager and the Report Manager. The logged in user is added to the Reporter_Discovery_Admins, Reporter_Reporting_Admins, Reporter_Reporting_Operators, and Reporter_Discovery_Nodes security groups as an administrator for both consoles when installing the server.
Service Account Supplied during installation	Installing and running the Enterprise Reporter server	Login as service right is conferred on the service account by the logged in credentials during installation.
	Connecting to the Enterprise Reporter database (unless SQL permissions are provided)	Read and write permissions are automatically granted during database creation.
	Securing the Configuration Manager and Report Manager. The service account is automatically added to the Reporter_Discovery_Admins, Reporter_Reporting_Admins, Reporter_Reporting_Operators, and Reporter_Discovery_Nodes security groups when installing the server.
Optional SQL credentials Supplied during installation	Can be used to create the Enterprise Reporter database	Must have the right to create databases, logins and groups.
Optional SQL credentials Supplied during installation	If supplied, are used to connect the database by the Enterprise Reporter server.	Read and write permissions are automatically granted during database creation.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação

Selecione seu produto:

Para podermos atendê-lo melhor, informe o Propósito de seu chat:

Soluções recomendadas para seu problema

Enterprise Reporter 3.5.1 - Quick Start Guide

Permissions for Enterprise Reporter discoveries on NAS devices

Permissions for Enterprise Reporter tenant applications

Minimum permissions for installing Enterprise Reporter

Minimum permissions for installing Enterprise Reporter