Documentation forAccess Rights Manager

ARM architecture and scalability

This section provides details about the following Access Rights Manager (ARM) architecture components:

About ARM

Access Rights Manager (ARM) assists IT and security administrators comply with regulatory requirements such as General Data Protection Regulation (GDPR), PCI Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA).

Using ARM, you can:

  • Analyze user authorizations and access permissions to systems, data, and files

  • View what users can access in Microsoft Active Directory, Microsoft Exchange, Microsoft SharePoint, and file servers

  • Automatically document actions

  • Generate customizable, audit-ready reports

  • Provision, modify, or de-provision users and their access rights with template-based rules

General architecture

The following table lists the ARM components that are included in a full installation.

Component Description
ARM Server

Runs the ARM service and processes new data and requests. This service also functions as the primary collector, which collects and sends data to the database.

The ARM server is the central component in your ARM infrastructure.

ARM Collector Collects event data from your deployment and sends it to the ARM Server for processing.
ARM Web Components

Provides risk analysis solutions and a self-service portal for all end users.

The web components Include the Web Client and Web API.

ARM Configuration Client

Provides the back-end configuration settings for all ARM clients.

This client is used by senior level administrators to configure ARM behavior on all desktops and systems.

RabbitMQ Message A message queue system that monitors events and delivers real-time alerts.
Microsoft SQL database The primary database for your ARM deployment.
(Optional) Additional Collectors Installed in separate domains to collect and send event data to the ARM server for analysis.

In small environments, the ARM server, SQL database, web components, and RabbitMQ message queue system can run on a single Windows server. In larger environments, the components can run on dedicated Windows servers. For scaling recommendations, see Distributed installation.

The ARM components communicate through network interfaces. The following illustrations display which ports are used in the configuration. See the system requirements for a description of each port.

ARM is not a SolarWinds Platform product. To prevent messaging conflicts with RabbitMQ running on both applications, SolarWinds recommends installing ARM and the SolarWinds Platform on separate servers.

Applications

ARM includes the following applications:

  • ARM configuration wizard (Windows application)
  • ARM main application (Windows application)
  • ARM configuration application (Windows application)
  • ARM web application

In earlier versions, ARM used dynamic ports (or random high ports) to provide communications between the Windows applications and the ARM server. If required by your existing firewall, you can set a range for the use of dynamic ports in the ARM configuration files.

See Provide access to the ARM GUI applications for instructions on how to provide user access to the applications in your deployment.

Distributed installation

The following illustrations shows an example of a distributed installation in a corporate environment.

Web components

The Web components are installed on a Windows server running Internet Information Service (IIS). These components include the Web Client and the Web API. SolarWinds recommends running the Web components on the ARM server. If you expect high user access to the web application, you can run the web components on a dedicated server.

See Install web components for instructions on installing the Web components on a dedicated Web server.

See the system requirements for details about the Web components and web interface requirements.

SQL database

ARM requires a connection to a Microsoft SQL database instance. For small environments or evaluation purposes, you can run the SQL Express Edition included in the ARM setup on the ARM server.

For large environments or if you want to use the monitoring functions productively, SolarWinds recommends using a dedicated database server running Microsoft SQL Server Standard Edition or higher.

For information on sizing the database server and supported versions, see the SQL Server section in the system requirements.

If you plan to install an ARM Evaluation that includes SQL Express, see SQL Express 2019 and ARM located in the ARM Administrator Guide for more information. SQL Express is not recommended for a production deployment. See ARM Evaluation version restrictions for additional information.

RabbitMQ

ARM uses the RabbitMQ queuing service for messages. SolarWinds recommends running the RabbitMQ version included with the ARM setup on the ARM server. Optionally, you can run an external RabbitMQ service.

See the system requirements for information about the supported RabbitMQ and Erlang versions.

Collectors

Collectors are used to collect resource and data system from Logga scans and transfers that data to the ARM server for processing. The ARM Server includes a built-in collector.

In large or distributed environments, you can install additional collectors to load balance, connect remote sites, and improve system performance. See Collectors in the ARM Administrator Guide for instructions on how to install, set up, and integrate additional connectors in your deployment.

Active Directory

ARM uses Active Directory (AD) to view and manage accounts and log activities through AD Logga. The following illustration shows Active Directory communicates with the ARM Server.

Scan Active Directory and manage accounts

ARM uses LDAP to scan Active Directory and manage your accounts.

LDAP (port 389) or LDAPS (port 636) is used to collect data from the scan based on your system configuration and cannot be configured within ARM.

You can install an additional collector in your environment. The ARM server can be used as a collector. SolarWinds recommends using an additional collector when:

  • Domain controllers are installed at remote locations
  • The ARM server or all existing collectors receive a high amount of data each day

See Active Directory resources in the ARM Administrator Guide for instructions on setting update your Active Directory scans.

Retrieve log events using Active Directory Logga

ARM uses the Remote Procedure Call (RPC) protocol for retrieving the events.

If you enabled the Windows Firewall on domain controllers, see Configure the Windows Firewall for AD Logga in the ARM Administrator Guide for instructions on enabling the RPC protocol.

For load balancing, you can install an additional collector in your environment. Only one collector for AD Logga can be configured to processes events from all domain controllers.

Scalability and scanning performance

You can configure multiple collectors for an Active Directory scan. The scan is executed using only one collector. If you configured multiple collectors in your environment, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM use and not the location.

For optimal scanning performance, you can adjust the number of parallel scan requests. Increasing these requests result in higher scan performance and a higher CPU and RAM load on the collector. In most cases, doubling the number of parallel requests does not double the scan performance. The optimal or justifiable value for the number of parallel requests lies depends on your hardware configuration and existing load, which cannot be predicted here.

Possible values include: 

  • Minimum: 1
  • Maximum: 128
  • Default: 4

To configure the scan settings, open the ARM configuration application. Under the Scans menu, enter the scan values. See Configure AD resources in the ARM Administrator Guide for more information.

Azure Active Directory

Using ARM for Azure Active Directory, you can:

  • View and manage accounts
  • Log activities (AAD Logga)

The following illustration shows how Azure Active Directory is implemented in an ARM deployment.

Scan Azure Active Directory and manage accounts

For all activities, ARM uses web interfaces (APIs) provided by Azure. Optionally, you can install an additional collector. The ARM server can be used as a collector. SolarWinds recommends using an additional collector when:

  • The ARM server or all existing collectors experience high network activity
  • The ARM server cannot access the Internet

See Azure AD resources in the ARM Administrator Guide for instructions on how to set up Azure Active Directory scans.

Retrieve log events using Azure Active Directory Logga

ARM uses web interfaces (APIs) provided by Azure to retrieve the events. An additional collector is optional. The ARM server can be used as a collector. See Configuring the Azure Active Directory (AAD) Logga in the ARM Administrator Guide for instructions to set up the Azure Active Directory (AAD) Logga.

Scalability and scanning performance

You can configure multiple collectors for an Azure Active Directory scan. The scan is executed using one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage and not the location.

For optimal scanning performance, you can adjust the number of parallel scan requests. Increasing these requests result in higher scan performance and a higher CPU and RAM load on the collector. In most cases, doubling the number of parallel requests does not double the scan performance. The optimal or justifiable value for the number of parallel requests lies depends on your hardware configuration and existing load, which cannot be predicted here.

Possible values include:

  • Minimum: 1
  • Maximum: 128
  • Default: 4

Windows file server

Using ARM for Windows file servers, you can:

  • View and manage directory permissions
  • Log file server activities (FS Logga)

The required installation configuration depends on the desired feature set. The following illustration provides an example configuration.

Scan and manage

ARM uses the common Internet file system (CIFS) protocol for all activities.

Additional collectors are optional. The ARM server can be used as a collector. SolarWinds recommends using additional collectors when:

  • File servers are installed in remote locations
  • The ARM server or all existing collectors experience high network activity

Retrieve file server events using FS Logga

To use the monitoring features on a Windows file server, install the following ARM components on each monitored file server:

  • ARM Filter driver
  • ARM Collector

The Windows file server operates as a collector.

See Prepare Windows file servers in the ARM Administrator Guide for setup instructions.

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is executed using only one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, and not the location.

For optimal scanning performance, you can adjust the number of parallel scan requests. Increasing these requests result in higher scan performance and a higher CPU and RAM load on the collector. In most cases, doubling the number of parallel requests does not double the scan performance. The optimal or justifiable value for the number of parallel requests lies depends on your hardware configuration and existing load, which cannot be predicted here.

Possible values include:

  • Minimum: 1
  • Maximum: 128
  • Default: 4

For optimal scanning performance, set the appropriate file server type in the scan configuration. In "Auto" mode, performance may be degraded due to compatibility requirements.

For most ARM use cases, it is not necessary or useful to scan all shares on a file server. This includes administrative shares ($ shares) and system drives. For a fast scan, limit your scope to the productive shares.

To configure the scan settings, open the ARM configuration application. Under the Scans menu, enter the scan values. See Configure FS resources in the ARM Administrator Guide for more information.

NetApp file server

Using an ARM for NetApp file server, you can:

  • View and manage directory permissions
  • Log file server activities (FS Logga)

The required installation effort depends on the desired feature set. The following illustration provides an example configuration.

Scan and manage

ARM uses the CIFS protocol for all activities. ARM does not support NFS shares.

Additional collectors are optional. The ARM server can be used as a collector. SolarWinds recommends using additional collectors when:

  • File servers are installed in remote locations
  • The ARM server or all existing collectors already have a high load

Retrieve file server events using FS Logga

ARM uses the NetApp FPolicy feature for monitoring functions. An additional collector that processes the NetApp file server events is mandatory. The ARM server cannot be used as a collector.

In NetApp 7-Mode, ARM uses RPC (TCP 135) and SMB (TCP 139) to retrieve the events. In NetApp clustered mode, the port is configurable, with a preset TCP 2002 value.

See Prepare NetApp clustered data ONTAP file servers in the ARM Administrator Guide for setup instructions.

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is executed using one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage and not the location.

For optimal scanning performance, you can adjust the number of parallel scan requests. Increasing these requests result in higher scan performance and a higher CPU and RAM load on the collector. In most cases, doubling the number of parallel requests does not double the scan performance. The optimal or justifiable value for the number of parallel requests lies depends on your hardware configuration and existing load, which cannot be predicted here.

Possible values include:

  • Minimum: 1
  • Maximum: 128
  • Default: 4

For a fast scan, limit the scope to the productive shares and set the file server type to NetApp.

To configure the scan settings, open the ARM configuration application. Under the Scans menu, enter the scan values. See Configure FS resources in the ARM Administrator Guide for more information.

EMC File Server

Using an ARM for EMC file server, you can:

  • View and manage directory permissions
  • Log file server activities (FS Logga)

The required installation effort depends on the desired feature set. The following illustration provides an example configuration.

Scan and manage

ARM uses the CIFS protocol for all activities. ARM does not support NFS shares.

Additional collectors are optional. The ARM server can be used as a collector. SolarWinds using additional collectors when:

  • File servers are installed in remote locations
  • The ARM server or all existing collectors already have a high load

Retrieve file server events (FS Logga)

The EMC Common Event Enabler (CEE) is required for the monitoring functions. An additional collector that processes the EMC file server events is required. The CEE and the collector service must run on the same Windows server. This server should be located in the same network segment as the EMC file server you plan to monitor. The ARM server cannot be used as collector.

See Prepare EMC file servers in the ARM Administrator Guide for setup instructions.

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is executed using only one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel scan requests. Increasing these requests result in higher scan performance and a higher CPU and RAM load on the collector. In most cases, doubling the number of parallel requests does not double the scan performance. The optimal or justifiable value for the number of parallel requests lies depends on your hardware configuration and existing load, which cannot be predicted here.

Possible values include:

  • Minimum: 1
  • Maximum: 128
  • Default: 4

For a fast scan, limit the scope to the productive shares and set the file server type to EMC.

To configure the scan settings, open the ARM configuration application. Under the Scans menu, enter the scan values. See Configure FS resources in the ARM Administrator Guide for more information.

Exchange

The main features of ARM for Exchange Online and Exchange on-premise are:

  • View and manage mailbox permissions
  • Log mailbox activities (Exchange-Logga)

The following illustration provides an example configuration.

ARM uses PowerShell to access Exchange.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

  • For Exchange Online if your ARM server has no internet access
  • The ARM server itself or all existing collectors already have a high load
  • Exchange (on-premise) servers on remote locations

Scalability and scanning performance

You can configure multiple collectors for an Exchange scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

You can configure the settings in the ARM configuration application in the Scans menu. For more information, see the following sections in the ARM Administrator Guide:

SharePoint On-Premise, SharePoint Online, and OneDrive

Using ARM for SharePoint On-premise, SharePoint Online. and OneDrive, you can view and manage permissions and log activities (including SharePoint Online Logga, OneDrive Logga).

The following illustration provides an example configuration.

ARM uses the SharePoint (client side object model (CSOM) to access SharePoint. ARM uses web interfaces (APIs) provided by Microsoft Azure to access OneDrive and to retrieve SharePoint Online events.

Additional collectors are optional. The ARM server can be used as a collector. SolarWinds recommends using additional collectors when:

  • The ARM server has no internet access (for SharePoint Online)
  • The ARM server or all existing collectors already have a high load
  • SharePoint (on-premise) servers are installed in remote locations

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is always executed using one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

After you configure the settings in the ARM configuration application, configure the settings in the Scans menu. For more information, see the following sections in the ARM Administrator Guide:

Teams

Using ARM for Teams, you can view and manage teams permissions, memberships, and channels.

The following illustration provides an example configuration.

ARM uses web interfaces (APIs) provided by Microsoft Azure to access Teams.

An additional collector is optional. The ARM server can be used as a collector. SolarWinds recommends using an additional collector when:

  • The ARM server has no internet access
  • The ARM server or all existing collectors already have a high load

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is executed using only one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

See Teams in the ARM Administrator Guide for information about setting up Teams.

SAP

Using ARM for SAP, you can view the SAP permissions.

The following illustration provides an example configuration.

ARM uses the SAP .NET connector to read SAP permissions.

An additional collector is optional. The ARM server can be used as a collector. SolarWinds recommends using an additional collector when the ARM server or all existing collectors already have a high load.

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is executed using only one collector. If you configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For instructions on setting up SAP scans, see SAP resources in the ARM Administrator Guide.