For installation and operation of a One Identity Manager database, the following database server and database settings are required:
Table 4: Database server settings
Language |
English |
|
Server Collation |
Case insensitive
SQL_Latin1_General_CP1_CI_AS (recommended) |
|
Extreme transaction processing supported (Is XTP supported) |
True |
One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses. The database server must support extreme transaction processing (XTP). This function is activated by default in a default installation.
The setting is tested by the Configuration Wizard before installing or updating One Identity Manager database. If XTP is not activated, the installation or update does not start. |
SQL Server Agent |
Started |
Start the SQL Server Agent in the SQL Server Service Management Portal. You can log in on a SQL Server Agent as a domain user with Windows authentication or with a local system account.
The setting is tested by the Configuration Wizard before installing or updating One Identity Manager database. If the SQL Server Agent is not started, the installation or update is not started. |
Table 5: Database settings
Collation |
SQL_Latin1_General_CP1_CI_AS |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Recovery model |
Simple |
The setting is tested by the Configuration Wizard before installing or updating One Identity Manager database. If the recovery model is not set to the value Simple, a warning is issued before installing or updating starts. You can ignore this warning.
For performance reasons, however, it is recommended you set the database to the Simple recovery model for the duration of the schema installation or update. |
Compatibility level |
SQL Server 2017 (140) |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Create Statistics |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Update Statistics |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Update Statistics Asynchronously |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Arithmetic Abort enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Quoted Identifiers Enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Broker Enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Is Read Committed Snapshot On |
True |
The default setting for transactions is AutoCommit. If transactions are required, they are opened explicitly.
These settings have proven to provide the best balance between data security and performance for One Identity Manager's massive parallel processing. Other transaction modes are not supported by One Identity Manager.
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Parameterization |
Forced |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Database file and date file group for memory-optimized tables |
Required |
One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses.
For the creation of memory-optimized tables, the following prerequisites must be met:
- A database file with the Filestream data file type must exist.
- A memory-optimized data filegroup must exist.
Before installation or update of the One Identity Manager database, the Configuration Wizard checks whether these requirements are fulfilled.
In the Configuration Wizard, repair methods are offered in order to create the database file and the data file group. The database file is created by the repair method in the directory of the data file (*.mdf). |
For more information about the named database server properties, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/view-or-change-server-properties-sql-server.
For more information about the database properties, see https://docs.microsoft.com/en-us/sql/relational-databases/databases/view-or-change-the-properties-of-a-database and https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-databases-transact-sql.
Related topics
The following users are identified for using a One Identity Manager database on a SQL Server with the granular permissions concept. User permissions at server and database level are matched to their tasks.
-
Installation user
The installation user is needed for the initial installation of a One Identity Manager database using the Configuration Wizard.
NOTE: If you want to change to the granular permissions concept when you upgrade from version 8.0.x to 8.2.1, you will also require an installation user.
-
Administrative user
The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.
-
Configuration user
The configuration user can run configuration tasks within One Identity Manager, For example, creating customer-specific schema extensions or working with the Designer. Configuration users need permissions at the server and database levels.
-
End users
End users are only assigned permissions at database level in order, for example, to complete tasks with the Manager or the Web Portal.
For more information about minimum access levels for One Identity Manager tools, see the One Identity Manager Authorization and Authentication Guide.
Permissions for installation users
A SQL Server login and a database user with the following permissions must be provided for the installation user.
SQL Server:
-
Member of dbcreator server role
The server role is only required if the database is created using the Configuration Wizard.
-
Member of the sysadmin server role
This server role is only required if the database is created by the Configuration Wizard and the directories for the file must be selected in the file browser. If the files are stored in the default database server directories, permissions are not necessary.
-
Member of securityadmin server role
This server role is required to create SQL Server logins.
-
view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.
The permissions are required to check connections and close these if necessary.
-
alter any server role permissions
The permissions are required to create the server role for the administrative user.
msdb database:
-
Select permissions with the with grant option option for the dbo.sysjobs, sysjobstepsdbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules, and dbo.sysjobhistory tables
The permissions are required to run and monitor database schedules.
-
alter any user permissions
The permissions are required to create the necessary database users for the administrative user.
-
alter any role permissions
This permission is required to create the necessary database role for the administrative user.
master database:
-
alter any user permissions
The permissions are required to create the necessary database users for the administrative user.
-
alter any role permissions
This permission is required to create the necessary database role for the administrative user.
-
Run permissions with the with grant option option for the xp_readerrorlog procedure
The permissions are required to find out information about the database server's system status.
-
Member of the SQLAgentUserRole database role
This database role is required for managing database schedules during an update from version 8.0.x to version 8.2.1.
One Identity Manager database:
-
Member of the db_owner database role
This database role is only required if you wish to use an existing database or a schema update is performed when installing the schema with the Configuration Wizard.
Permissions for administrative users
During the installation of the One Identity Manager database using the Configuration Wizard, the following principal elements and permissions are created for the administrative user:
SQL Server:
msdb database:
- OneIMRole_<DatabaseName> database role
-
Member of the SQLAgentUserRole database role
The database role is required to run database schedules.
-
Select permissions for the dbo.sysjobs, dbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules and dbo.sysjobhistory tables
The permissions are required to run and monitor database schedules.
- OneIM_<DatabaseName> database user
master database:
One Identity Manager database:
-
Admin database user
-
Member in db_owner database role
The database role is required to update a database with the Configuration Wizard.
-
The database user is assigned to the <DatabaseName>_Admin SQL server login.
Permissions for configuration users
During the installation of the One Identity Manager database using the Configuration Wizard, the following principal elements and permissions are created for configuration users:
SQL Server:
One Identity Manager database:
Permissions for end users
The following principals are created with the permissions for end users during the installation of the One Identity Manager database with the Configuration Wizard:
SQL Server:
One Identity Manager database:
Tips for using integrated Windows authentication
Integrated Windows authentication can be used without restriction for the One Identity Manager Service and the web applications. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.
To implement Windows authentication
-
Set up a SQL Server login for the user account on the database server.
-
Enter dbo as the default schema.
-
Assign the required permissions SQL server login.
To manage the One Identity Manager database in a managed instance in Azure SQL Database, you require the Business critical tier. For more detailed information, see the Microsoft site under https://azure.microsoft.com/en-us/services/sql-database/.
Related topics
For installation and operation of a One Identity Manager database, the following database server and database settings are required:
Table 6: Database server settings
Language |
English |
|
Server Collation |
Case insensitive
SQL_Latin1_General_CP1_CI_AS (recommended) |
|
Extreme transaction processing supported (Is XTP supported) |
True |
Default setting. |
SQL Server Agent |
Started |
Default setting. |
Table 7: Database settings
Collation |
SQL_Latin1_General_CP1_CI_AS |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Recovery model |
Full |
Default setting. |
Compatibility level |
SQL Server 2017 (140) |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Create Statistics |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Update Statistics |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Auto Update Statistics Asynchronously |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Arithmetic Abort enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Quoted Identifiers Enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Broker Enabled |
True |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Is Read Committed Snapshot On |
True |
The default setting for transactions is AutoCommit. If transactions are required, they are opened explicitly.
These settings have proven to provide the best balance between data security and performance for One Identity Manager's massive parallel processing. Other transaction modes are not supported by One Identity Manager.
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Parameterization |
Forced |
The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary. |
Database file and date file group for memory-optimized tables |
Required |
Default setting. |