Chat now with support
Chat mit Support

Identity Manager 9.2.1 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Designer Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Minimum system requirements for implementing SQL Servers as database servers

A server must meet the following system requirements for installation of a One Identity Manager database. Depending on the number of One Identity Manager modules and the accounts managed in One Identity Manager, the requirements for working memory, hard disk storage, and processors may be significantly greater than the minimum requirements.

Table 3: Minimum system requirements - database server

Processor

8 physical cores with 2.5 GHz+ frequency (non-production)

16 physical cores with 2.5 GHz+ frequency (production)

NOTE: 16 physical cores are recommended on the grounds of performance.

Memory

16 GB+ RAM (non-production)

64 GB+ RAM (production)

Hard drive storage

100 GB

Operating system

Windows operating systems

  • Note the requirements of Microsoft for the version of SQL Server you are using.

UNIX and Linux operating systems

  • Note the operating system manufacturer's minimum requirements for SQL Server databases.

Software

Following versions are supported:

  • SQL Server 2019 Standard Edition (64-bit) with the current cumulative update

  • SQL Server 2022 Standard Edition (64-bit) with the current cumulative update

NOTE: For performance reasons, the use of SQL Server Enterprise Edition is recommended for live systems.

  • SQL Server Management Studio (recommended)

NOTE: The minimum requirements listed above are considered to be for general use. With each custom One Identity Manager deployment these values may need to be increased to provide ideal performance. To determine production hardware requirements, it is strongly recommended to consult a qualified One Identity Partner or the One Identity Professional Services team. Failure to do so may result in poor database performance.

For additional hardware recommendations, read the KB article https://support.oneidentity.com/identity-manager/kb/290330/how-to-configure-settings-as-per-the-system-information-overview, which describes the overview of the system information available in One Identity Manager.

NOTE: In virtual environments, you must ensure that the VM host provides performance and resources to the database server according to system requirements. Ideally, resource assignments for the database server are fixed. Furthermore, optimal I/O performance must be provided, in particular for the database server. For more information about virtual environments, see Product Support Policies.

Related topics

Settings for the database server and the One Identity Manager database on an SQL Server

For installation and operation of a One Identity Manager database, the following database server and database settings are required:

Table 4: Database server settings

Property

Value

Comment

Language

English

Select English as the default language for database users.

Server Collation

Case insensitive

SQL_Latin1_General_CP1_CI_AS (recommended)

 

Extreme transaction processing supported (Is XTP supported)

True

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses. The database server must support extreme transaction processing (XTP). This function is activated by default in a default installation.

The setting is tested by the Configuration Wizard before installing or updating One Identity Manager database. If XTP is not activated, the installation or update does not start.

Table 5: Database settings

Property

Value

Comment

Collation

SQL_Latin1_General_CP1_CI_AS

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Recovery model

Simple

The setting is tested by the Configuration Wizard before installing or updating One Identity Manager database. If the recovery model is not set to the value Simple, a warning is issued before installing or updating starts. You can ignore this warning.

For performance reasons, however, it is recommended you set the database to the Simple recovery model for the duration of the schema installation or update.

Compatibility level

SQL Server 2019 (150)

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Create Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics Asynchronously

False

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Arithmetic Abort enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Quoted Identifiers Enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Is Read Committed Snapshot On

True

The default setting for transactions is AutoCommit. If transactions are required, they are opened explicitly.

These settings have proven to provide the best balance between data security and performance for One Identity Manager's massive parallel processing. Other transaction modes are not supported by One Identity Manager.

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Parameterization

Forced

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Database file and date file group for memory-optimized tables

Required

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses.

For the creation of memory-optimized tables, the following prerequisites must be met:

  • A database file with the Filestream data file type must exist.
  • A memory-optimized data filegroup must exist.

Before installation or update of the One Identity Manager database, the Configuration Wizard checks whether these requirements are fulfilled.

In the Configuration Wizard, repair methods are offered in order to create the database file and the data file group. The database file is created by the repair method in the directory of the data file (*.mdf).

Table variable deferred compilation (DEFERRED_COMPILATION_TV)

ON

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Interleaved execution (INTERLEAVED_EXECUTION_TVF)

ON

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

For more information about the named database server properties, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/view-or-change-server-properties-sql-server.

For more information about the database properties, see https://docs.microsoft.com/en-us/sql/relational-databases/databases/view-or-change-the-properties-of-a-database and https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-databases-transact-sql.

Related topics

Users and permissions for the One Identity Manager database on an SQL Server

The following users are identified for using a One Identity Manager database on an SQL Server with the granular permissions concept. User permissions at server and database level are matched to their tasks.

NOTE: If you want to switch to granular permissions when you update from 8.1.x at a later date, contact support. To access the Support Portal, go to https://support.oneidentity.com/identity-manager/.

  • Installation user

    The installation user is required for the initial setup of a One Identity Manager database using the Configuration Wizard.

    NOTE: If you want to change to the granular permissions concept when you upgrade from version 8.0.x to 9.2.1, you will also require an installation user.

  • Administrative user

    The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

  • Configuration user

    The configuration user can run configuration tasks within the One Identity Manager, for example, creating customer-specific schema extensions or working with the Designer. Configuration users need permissions at the server and database levels.

  • End users

    End users are only assigned permissions at database level in order, for example, to complete tasks with the Manager or the Web Portal.

For more information about minimum access levels for One Identity Manager tools, see the One Identity Manager Authorization and Authentication Guide.

Permissions for installation users

A SQL login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of the sysadmin server role

    This server role is only required if the database is created by the Configuration Wizard and the directories for the file must be selected in the file browser. If the files are stored in the default database server directories, permissions are not necessary.

  • Member of securityadmin server role

    This server role is required to create SQL logins.

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

  • alter any server role permissions

    The permissions are required to create the server role for the administrative user.

msdb database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Run permissions with the with grant option option for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

One Identity Manager database:

  • Member of the db_owner database role

    This database role is required for installing the schema with the Configuration Wizard in an existing database or for updating the schema.

Permissions for administrative users

During the installation of the One Identity Manager database with the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permissions

      The permissions are required to create the server role for the configuration user.

    • view any definition permissions

      The permissions are required to link the SQL logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

      The permissions are required to check connections and close these if necessary.

master database:

  • OneIMRole_<DatabaseName> database role

    • Run permissions for the xp_readerrorlog procedure

      The permissions are required to find out information about the database server's system status.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL login.

One Identity Manager database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL login.

Permissions for configuration users

During the installation of the One Identity Manager database with the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • view server state and alter any connection permissions

      The permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Run, and Create function permissions for the database

  • Config database user

    • Member of the OneIMConfigRoleDB database role

    • The database user is connected with the <DatabaseName>_Config SQL login.

Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, and Delete permissions for selected tables in the database

    • View Definition permissions for the database

    • Run and References permissions for individual functions, procedures, and types

  • User database user

    • Member of the OneIMUserRoleDB database role

    • The database user is connected with the <DatabaseName>_User login.

Tips for using integrated Windows authentication

Integrated Windows authentication can be used without restriction for the One Identity Manager Service and the web applications. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL login.

To implement Windows authentication

  • Set up an SQL login for the user account on the database server.

  • Enter dbo as the default schema.

  • Assign the required permissions SQL login.

Requirements for a managed instance in Azure SQL Database

For more information about Azure SQL Database, refer to the Microsoft website under https://azure.microsoft.com/en-us/products/azure-sql/database/.

To manage the One Identity Manager database in a managed instance in Azure SQL Database, you require the Business critical tier.

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen