The following users are identified for using a One Identity Manager database in Azure SQL Database with granular permissions concept. User permissions at server and database level are matched to their tasks.

• Installation user

  The installation user is required for the initial setup of a One Identity Manager database using the Configuration Wizard.

• Administrative user

  The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

• Configuration user

  The configuration user can run configuration tasks within the One Identity Manager, for example, creating customer-specific schema extensions or working with the Designer. Configuration users need permissions at the server and database levels.

• End users

  End users are only assigned permissions at database level in order, for example, to complete tasks with the Manager or the Web Portal.

For more information about minimum access levels for One Identity Manager tools, see the One Identity Manager Authorization and Authentication Guide.

Permissions for installation users

The server administrator set up when Azure SQL was deployed has the administrative permissions to directly install and use a One Identity Manager database. Likewise, the granulated permissions concept can be enabled by this user.

If this user cannot be used, an SQL login and database user must be provided with the following permissions.

master database:

• Member of the loginmanager database role

  The permissions are required to create the necessary database users for the administrative user.

One Identity Manager database:

• Member of the db_owner database role

  This database role is required for installing the schema with the Configuration Wizard in an existing database or for updating the schema.

Permissions for administrative users

During the installation of the One Identity Manager database with the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

• OneIMAdminRole_<DatabaseName> server role

  • alter any server role permissions

    The permissions are required to create the server role for the configuration user.

  • view any definition permissions

    The permissions are required to link the SQL logins for the configuration user and the end user with the corresponding database users.

• <DatabaseName>_Admin SQL login

  • Member of the OneIMAdminRole_<DatabaseName> server role

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

master database:

• OneIMRole_<DatabaseName> database role

  • Run permissions for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

• OneIM_<DatabaseName> database user

  • Member of the OneIMRole_<DatabaseName> database role

  • The database user is assigned to the <DatabaseName>_Admin SQL login.

One Identity Manager database:

• Admin database user

  • Member in db_owner database role

    The database role is required to update a database with the Configuration Wizard.

  • The database user is assigned to the <DatabaseName>_Admin SQL login.

Permissions for configuration users

During the installation of the One Identity Manager database with the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

• OneIMConfigRole_<DatabaseName> server role

  • view server state and alter any connection permissions

    The permissions are required to check connections and close these if necessary.

• <DatabaseName>_Config SQL login

  • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager database:

• OneIMConfigRoleDB database role

  • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Run, and Create function permissions for the database

• Config database user

  • Member of the OneIMConfigRoleDB database role

  • The database user is connected with the <DatabaseName>_Config SQL login.

Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager database with the Configuration Wizard:

SQL Server:

• <DatabaseName>_User SQL login

One Identity Manager database:

• OneIMUserRoleDB database role

  • Insert, Update, Select, and Delete permissions for selected tables in the database

  • View Definition permissions for the database

  • Run and References permissions for individual functions, procedures, and types

• User database user

  • Member of the OneIMUserRoleDB database role

  • The database user is connected with the <DatabaseName>_User login.