Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.0 LTS - Generic Database Connector User Guide for the CData ADO.NET Provider

Generic database connector for CData ADO.NET Provider databases

With this generic database connector, you can synchronize external databases with the One Identity Manager database. One Identity Manager supports connecting to CData ADO.NET Provider databases, amongst others.

The generic database connector cannot load any random external database system data configuration. For example, custom data types and columns containing value list are not currently supported.

The generic database connection does not provide a project template for setting up synchronization. You must create synchronization configuration components (such as mappings, workflows or start up configurations) manually after the synchronization project has been saved.

In the Synchronization Editor, external database tables and columns are referenced as schema types and schema properties.

To set up synchronization with a database

  1. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  2. Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing synchronization objects.

  3. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing

In the synchronization with the database connectors, there are three use cases for mapping synchronization objects in the One Identity Manager data model.

  1. Mapping custom target systems

  2. Mapping default tables (for example Person or Department)

  3. Mapping custom tables

In the case of One Identity Manager tools non role-based login, it is sufficient to add a system user in the DPR_EditRights_Methods and QBM_LaunchPad permissions groups. For more information about system users and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Table 1: Users and permissions groups for non role-based login
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

System users in the DPR_EditRights_Methods permissions group

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

System users in the QBM_LaunchPad permissions group

  • Working with the Launchpad.

There are different steps required for role-based login, in order to equip One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.

Table 2: User and permissions groups for role-based login: Mapped as custom target system
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | Custom target systems application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

Table 3: User and permissions groups for role-based login: Default table mapping
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Custom application role

Users with this application role:

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

Table 4: Users and permissions groups for role-based login: Custom table mapping
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Application roles for custom tasks

Administrators must be assigned to the Custom | Administrators application role.

Users with this application role:

  • Administrate custom application roles.

  • Set up other application roles for managers if required.

Manager for custom tasks

Managers must be assigned to the Custom | Managers application role or a child role.

Users with this application role:

  • Add custom task in One Identity Manager.

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

You can use these application roles, for example, to guarantee One Identity Manager user permissions on custom tables or columns. All application roles that you define here must obtain their permissions through custom permissions groups.

The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

To configure synchronization projects and target system synchronization (in the use cases 2 and 3)

  1. Set up a custom permissions group with all permissions for configuring synchronization and editing synchronization objects.

  2. Assign a custom application role to this permissions group.

Detailed information about this topic

Setting up custom application roles for synchronization

For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.

To set up an application role for synchronization (use case 2):

  1. In the Manager, select the default application role to use to edit the objects you want to synchronization.

    • Establish the application role's default permissions group.

    If you want to import employee data, for example, select the Identity Management | Employees | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.

  2. In the Designer, create a new permissions group .

    • Set the Only use for role based authentication option.

  3. Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  4. Make the new permissions group dependent on the default permissions group of the selected default application role.

    Then the default permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  5. Save the changes.
  6. In the Manager, create a new application role.

    1. Assign the selected application role to be the parent application role.

    2. Assign the newly created permissions group.

  7. Assign employees to this application role.

  8. Save the changes.

To set up an application role for synchronization (use case 3):

  1. In the Designer, create a new permissions group for custom tables that are populated by synchronization.

    • Set the Only use for role based authentication option.

  2. Guarantee this permissions group all the required permissions to the custom tables.

  3. Create another permissions group for synchronization.

    • Set the Only use for role based authentication option.

  4. Make the permissions group for synchronization dependent on the permissions group for custom tables.

    Then the permissions group for custom tables must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  5. Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  6. Save the changes.
  7. In the Manager, create a new application role.

    1. Assign the Custom | Managers application role as the parent application role.

    2. Assign the permissions group for the synchronization.

  8. Assign employees to this application role.

  9. Save the changes.

For more information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Setting up the synchronization server

A server with the following software must be available for setting up synchronization:

  • CData ADO.NET Provider

  • One Identity Manager Service

    • Install One Identity Manager components with the installation wizard.

      1. Select Select installation modules with existing database.

      2. Select the Server | Job Server machine role.

    For more information about system requirements for installing the One Identity Manager Service, see the One Identity Manager Installation Guide.

The synchronization server must be declared as a Job server in One Identity Manager.

Use the One Identity Manager Service to install the Server Installer. The program runs the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed. For more information about installing a workstation, see the One Identity Manager Installation Guide.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For more information about setting up Job servers, see the One Identity Manager Configuration Guide.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  1. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  2. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each Job server within the network must have a unique queue identifier. The process steps are requested by the Job queue using this exact queue name. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  1. On the Machine roles page, select Job server.

  2. On the Server functions page, select Generic database connector.

  3. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection > sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  4. To configure remote installations, click Next.

  1. Confirm the security prompt with Yes.

  2. On the Select installation source page, select the directory with the install files. Change the directory if necessary.

  3. If the database is encrypted, on the Select private key file page, select the file with the private key.

  4. On the Service access page, enter the service's installation data.

    • Computer: Enter the name or IP address of the server that the service is installed and started on.

    • Service account: Enter the details of the user account that the One Identity Manager Service is running under. Enter the user account, the user account's password and password confirmation.

    The service is installed using the user account with which you are logged in to the administrative workstation. If you want to use another user account for installing the service, you can enter it in the advanced options. You can also change the One Identity Manager Service details, such as the installation directory, name, display name, and the One Identity Manager Service description, using the advanced options.

  5. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  6. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Strumenti self-service
Knowledge Base
Notifiche e avvisi
Supporto prodotti
Download di software
Documentazione tecnica
Forum utente
Esercitazioni video
Feed RSS
Contatti
Richiedi assistenza sulle licenze
Supporto tecnico
Visualizza tutto
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione