Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.3 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics The full-text search in One Identity Manager Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on using date values Tips for using PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD-notation Displaying messages in the user interface Referencing packages and files in scripts Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Committing and compiling script changes Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider Processing DBQueue Processor tasks Structure of the Jobservice.cfg configuration file

Specifying deferred deletion for objects

You can use deferred deletion to specify how long the objects remain in the database after deletion is triggered before they are finally removed.

  • If deferred deletion > 0 days is configured, a deferred operation is created for deletion. The objects are initially disabled. During the retention period, you have the option to restore the objects. If a deleted object is restored, the object properties are reset to their state before deletion. The objects are finally deleted when the deferred deletion time period has expired.

  • Object with deferred deletion on 0 days are deleted immediately.

Example: Deferred deletion for target systems

Deferred deletion is applied especially to target systems. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or locked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You define a deletion delay for each table. Use the following table properties:

  • Deferred deletion [days] (default): Number of days to defer the delete operation. If the value is 0, it is deleted immediately. Use this if all objects of a table are to be handled with a defined deletion delay.

  • Script (deferred deletion): Script in VB.Net syntax to determine an object-specific deferred deletion. The script overwrites the value from the Deferred deletion [days] property. For example, use the script to define different time periods for individual objects in a table, depending on certain properties.

    Example: Script for object-specific deferred deletion

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the UNSAccountB table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

Related topics

Editing table definitions

You can edit properties of custom tables. Predefined One Identity Manager schema table definitions are maintained through schema installation and only a few properties can be modified.

To edit table properties

  1. In the Designer, select the One Identity Manager schema category.

  2. Select the table and start the Schema Editor with the Show table definition task.

  3. In the Table properties view, edit the table properties.

  4. Select the Database > Save to database and click Save.

Related topics

Table definition properties

The following properties are displayed for table definitions.

Table 23: Table definition properties

Property

Description

Table

Name of the table in the data model.

Usage type

The table's usage type provides the basis for reports and the selection of tasks for daily maintenance.

Permitted values are:

  • Work tables: The table is a work table and contains transaction data.

  • Historical transaction data: The table contains transaction data to create histories.

  • Configuration: The table contains data for the system configuration.

  • Materialized data: The table contains materialized data. This is recreated through DBQueue Processor calculations.

  • Read-only data: The table contains read-only data.

  • User data: The table contains user data.

Display name (singular)

Display name for a single record in the table. Translate the given text using the button.

Display name (plural)

Displays table name The display name is used, for example, to identify the table in a database search or for error output. Translate the given text using the button.

Display template

The display template is used to specify the form in which objects will be represented, for example in the administration tool result list or in reports. Translate the given text using the button.For more information, see Templates for displaying lists.

NOTE: You do not need to enter a display template for many-to-many tables. For these tables, the viDB.DLL forms the display template from the foreign keys.

Display template (long)

Additional display template for individual tables containing the object's full name.

Hierarchy path

Enter the foreign key columns here that should be used as a basis for displaying tables hierarchically, for example, on assignment forms. For more information, see Hierarchical display of data on assignment forms.

Example:

An Active Directory user account (ADSAccount table) is typically displayed on an assignment form below its Active Directory container (UID_ADSContainer column). The Active Directory container (ADSContainer table) is, on the other hand, displayed underneath its Active Directory domain (UID_ADSDomain column). The path for the hierarchy structure is entered as follows:

Table

Hierarchy path

ADSAccount

UID_ADSContainer,UID_ADSDomain

ADSContainer

UID_ADSDomain

An alternative list for objects that do not have values in all foreign key columns can be given after a pipe (|).

Example:

(UID_ADSContainer,UID_ADSDomain|UID_ADSDomain)

Remarks

Text field for additional explanation.

Preprocessor condition

You can add preprocessor conditions to tables. The table is therefore only available together with its columns when the preprocessor condition is fulfilled. For more information, see Conditional compilation using preprocessor conditions.

Disabled by preprocessor

If a table is disabled by a preprocessor condition, the option is set by the Database Compiler. For more information, see Conditional compilation using preprocessor conditions.

Icon

Icon representing the table in the administration tool interface.

Background color

Color used to display the control for this table in the schema overview.

Export for SPML schema

This option determines whether the table should be exported for the SPML schema.

Retain in memory

Specifies whether the table contents for the data connection can be buffered. The threshold is defined in the Common | ResidentTableLimit configuration parameter.

Many-to-many table

Label for assignment tables (many-to-many tables). Assignment tables are tables used to create relations between two other tables. For more information, see Table types and default columns in the One Identity Manager data model.

Many-to-all table

Marks assignment tables, which have a dynamic foreign key as partner. For more information, see Table types and default columns in the One Identity Manager data model.

Assign by event

Specifies how assignments and deletions are handled in tables. This option only applies to assignment tables (many-to-many tables) in the application data model.

  • If the option is not set, assignments, and deletions are dealt with directly by the DBQueue Processor.

  • If the option is set, tasks for the HandleObjectComponent process component are set up in the Job queue. These tasks then carry out the relevant operations. This makes it possible to link specific processes directly to the Assign and Remove events. You must implement this behavior with a customized solution.

No process tracking

Specifies whether the table is excluded from process tracking.

Module GUID permitted

Specifies whether a primary key with a Globally Unique Identifier module (GUID module) is permitted for objects. For more information, see Working with a globally unique identifier module.

Module GUID required

Specifies whether a primary key with a Globally Unique Identifier module (GUID module) is required for objects. For more information, see Working with a globally unique identifier module.

Identity object path for table lookup support

Path to the identity object (UID_Person) for finding the identity object within the table lookup search for user accounts and email addresses. The resulting data is mapped in QBMSplittedLookup.SplittedElement. If the value no is entered, no identity can be determined for groups or BaseTree derivatives, for example.

Example:

In the case of Exchange Online mailboxes (O3EMailbox table), the identity is determined through the Microsoft Entra ID user accounts.

Enter the path to the identities object as follows: FK(UID_AADUser).UID_Person

Scope hierarchy

Comma delimited list of all foreign key columns required for displaying objects in the scope hierarchy in the Synchronization Editor. List of all columns that lead to tables made available by the parent object.

Proxy view

Reference to database view, type Proxy, which uses the table content.

Example:

The database view UNSRoot is used to map the ADSDomain and LDAPDomain tables in the Unified Namespace.

For more information, see Database views of the proxy type.

Logical disk store

The table's logical disk store. Associated tables are grouped together in logical disk stores. In the default installation, logical disk stores are predefined for the table in each module of One Identity Manager and the system tables. You cannot change the assignments. You can create your own logical disk storage for grouping custom tables. Supporting file groups

Generic API

The API Server creates a generic API for this table with which it is enabled for reading, updating, deleting, or creating.

Cache information

Loading behavior for tables in the Designer. This data is only required for system tables. Cache information for a table is composed of the sort order and loading behavior.

Permitted values are:

  • Base table: The table is loaded before the user interface.

  • User table: The table is only filled for the current user.

  • Data table: The table is loaded in the background after the user interface is loaded.

  • Proxy: The table is displayed as a view of the original table in the Designer. The data is loaded but cannot be modified.

  • Load BLOBS: Columns with larger data sets (BLOB columns) are loaded.

  • No caching: The table is not loaded in the Designer.

No DB Transport

Tables labeled with this option cannot be excluded from a custom configuration package. These tables are excluded from data transport.

Condition for transport

Condition for selecting transportable objects. An empty condition means that all object are transferred.

Single-user mode for transport

Condition determines the transferable objects that require the database to be in single user mode when they are imported. If the condition is empty, single-user mode is not required.

Deferred deletion [days]

Number of days to defer the delete operation. If the value is 0, it is deleted immediately. For more information, see Specifying deferred deletion for objects.

Script (deferred deletion)

Script in VB.Net syntax to determine an object-specific deferred deletion. For more information, see Specifying deferred deletion for objects.

Extensions to proxy view

List of columns as SQL text. These are used in the database view's SELECT statement that is selected under Proxy view. For example, use the extensions to the proxy view if columns are doubly mapped or if additional proxy view need to be filled.

Example:

The view UNSRoot expects the target system type as input in the UID_DPRNameSpace column. This column is not in the ADSDomain and LDAPDomain tables.

The proxy view extension is defined as follows:

Table

Extension to proxy view

ADSDomain

'ADS-DPRNameSpace-ADS' as UID_DPRNameSpace

LDPDomain

'LDP-DPRNameSpace-LDAP' as UID_DPRNameSpace

For more information, see Database views of the proxy type.

Type

Table type. For more information, see Table types in One Identity Manager.

Base table

Only for database views: Reference to base tables that a view is based on.

Condition for view definition

Only for database views: Limiting condition for creating the database view as WHERE clause for database queries.

Insert values

Specify default settings for a column that is assigned when a new data set is added. The values are entered in VB.Net syntax.

Selection script

Only for database views: Selection script as VB.Net expression to determine at runtime, whether the object passed belongs to this database view.

Script (OnLoaded)

Script in VB.Net syntax that is run after the object is loaded. For more information, see Table scripts.

Script (OnSaving)

Script in VB.Net syntax that is run before the object is saved. For more information, see Table scripts.

Script (OnSaved)

Script in VB.Net syntax that is run after the object is saved. For more information, see Table scripts.

Script (OnDiscarding)

Script in VB.Net syntax that is run before the object is discarded. For more information, see Table scripts.

Script (OnDiscarded)

Script in VB.Net syntax that is run after the object is discarded. For more information, see Table scripts.

Synchronization mode

Permitted directions of synchronization and handling methods for this table if synchronization is set up automatically between two One Identity Manager databases.

Columns for alternative rules

Comma delimited list of columns to be used for creating alternative object matching rules in an automatically created synchronization project. If the One Identity Manager connector cannot identify a system object through the primary object matching rule, it applies the alternative rules to determine a matching system object. For more information about this, see the One Identity Manager User Guide for the One Identity Manager Connector.

CLR type for project generator

.NET class used to consider special cases when generating a synchronization project between two One Identity Manager databases.

Number of rows

Number of rows in the table The number of rows in the table is determined once a day by maintenance tasks. The data material can help to plan capacities and maintenance work on the database.

Basic record lengths

Maximum length of the data record with (clustered) main indexes. Only the reference is saved for LOBs. The LOB content itself is stored in the HEAP. The basic record length is determined once a day by maintenance tasks. The data material can help to plan capacities and maintenance work on the database.

Table size

The size of the table in MB. The size of the table in the database is determined once a day by maintenance tasks. The data material can help to plan capacities and maintenance work on the database.

Layout information

(Only for internal use) Information about the layout in the Designer.

Primary key 1

(Only for internal use) Name of the table's first primary key column. The sort order of primary key 1 and primary key 2 corresponds to the physical order in the schema.

Primary key 2

(Only for internal use) Name of the table's second primary key column. The sort order of primary key 1 and primary key 2 corresponds to the physical order in the schema.

Related topics

Displaying the table definition Customizer

Customizers run processing logic which would normally be implemented in the object code, such as mutual exclusion of properties. Customizers contain special methods and has side effects on the table columns. Several customizers can be defined for one table.

The One Identity Manager default installation contains various customizers which provide specific behaviors.

To display the customizers for a table definition

  1. In the Designer, select the One Identity Manager schema category.

  2. Select the table and start the Schema Editor with the Show table definition task.

  3. In the Table properties view, select the Customizer tab.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation