Requirements for the central database
The prerequisites and guidance for connecting a One Identity Manager database apply, as described in the One Identity Manager User Guide for the One Identity Manager Connector.
Prerequisites
-
The central database has at least version 8.2.
-
The System Synchronization Service Module (ISM) is installed in the central database.
-
Even if the work and central database have the same product version, it is recommended you connect the central database through an application server and enable the required plugins. This is the only way to use the function that automatically revokes entitlements if attestation is denied.
The Attestation Module can be present in the central database, but it does not have to be. Regardless of this, attestation configuration, such as attestation policies or approval workflows, and the attestation cases themselves, are not synchronized with the central database. Only the attestations results are transferred to enable the evaluation and further processing of the results in the central database.
Related topics
Setting up work databases
Ensure that the minimum system requirements for installing the work database are met. For more information, see the One Identity Manager Installation Guide.
To set up the work database
-
Install a work database with at least version 8.2.
-
Install the same modules as in the central database, including the System Synchronization Service Module.
-
In addition, install the Attestation Module (ATT).
-
Set up a Job server to handle SQL processes for the work database.
-
To be able to use the Web Portal for attestations
-
Install an application server
-
Install an API Server.
For more information, see the One Identity Manager Installation Guide.
-
In the work database, set the following configuration parameters and specify the credentials to connect to the central database's application server.
Use the same settings that are used when setting up synchronization between the central and working databases.
-
ISM | PrimaryDB | AppServer | AuthenticationString:
Authentication data for establishing a connection using the REST API of the central database's application server.
Syntax: Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…
All authentication modules provided by the application server being addressed are allowed. For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.
Recommended values are:
-
Module=DialogUser;User=<user name>;Password=<password>
-
Module=DialogUserAccountBased
-
Module=Token
For authentication using an OAuth 2.0 access token, additionally specify ClientId, ClientSecret, and TokenEndpoint in the ConnectionString configuration parameter. For more information about OAuth 2.0/OpenID Connect authentication, see the One Identity Manager Authorization and Authentication Guide.
-
ISM | PrimaryDB | AppServer | ConnectionString:
Connection parameters for establishing a connection using the REST API of the central database's application server.
Syntax: Url=<application server URL>
If Module=Token is set in the AuthenticationString configuration parameter, the following parameter are required in addition:
-
ClientId: Client ID for authentication at the token endpoint.
-
ClientSecret: Secret value for authentication at the token endpoint.
-
TokenEndpoint: URL of the token endpoint.
Syntax: url=<application server URL>[;ClientId=<client ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>]
Related topics
Setting up synchronization between central and work databases
Synchronization between the work and central databases is handled by the One Identity Manager connector. You can set up synchronization through individual configuration, configuring it completely manually. To ensure that all data required for attestation are transferred to the work database and the attestation results are returned, set up the system synchronization. The One Identity Manager supports you with the scripts provided.
System synchronization allows you to map selected application data from the central database to the work database. The synchronization configuration is generated completely automatically based on selected criteria. The synchronization project is set up on the work database.
To set up the system synchronization, proceed as described in the One Identity Manager User Guide for the One Identity Manager Connector.
To set up the system synchronization
-
Provide One Identity Manager users with the necessary permissions to set up synchronization.
- Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
-
Determine which application data to attest.
-
In Designer, mark the tables and columns required for this purpose. You can use the scripts provided for this purpose.
NOTE: The scripts select all tables and columns that contain application data to attest. If only a limited section of this application data requires attesting, you can also mark the required tables and columns manually.
-
Check the automatically selected tables and columns. You can modify this selection to suit your requirements.
-
Generate a synchronization project with the Synchronization Editor.
When selecting the database system, use the same settings that are specified in the configuration parameters under ISM | PrimaryDB | AppServer.
-
Start the initial synchronization.
To automatically mark the tables and columns
Run the following scripts on the given database using a suitable program for SQL queries. The scripts are located on the installation media in the ATT\dvd\AddOn\SDK\SystemSyncPreConfig directory.
-
On the work database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.
The script makes some general settings.
-
On the central database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.
-
On the work database, run the AttestationInAnotherOneIMDB_Part2_TableConfig.sql script.
The script selects all the necessary tables and sets the values required in the table properties.
-
On the work database, run the AttestationInAnotherOneIMDB_Part3_ColumnConfig.sql script.
The script selects all required columns and sets the mapping direction.
-
Check the selected tables and columns as well as the set properties and adjust if necessary.
NOTE:
-
If you change the tables or columns to be synchronized after the synchronization project has been generated, the synchronization project will be updated automatically.
-
Only the connection credentials for the connected systems may be changed manually in a generated synchronization project.
Related topics
Setting up and running attestations in the work database
After you have initially loaded all the data into the work database, set up the attestation and then start it. For more information, see Attestation and recertification.
The status of completed attestation cases is stored in the attestation overview (ISMObjectAttLast table) and immediately provisioned to the central database. This is where subsequent processes are carried out, such as the withdrawal of entitlements after attestation is denied or risk index calculations.
NOTE: When attestations are carried out in a work database, the risk indexes of the attested objects in the central database are calculated based on the attestation overview (ISMObjectAttLast table). Separate calculation functions are provided for this purpose.
For more information about calculating risk indexes, see the One Identity Manager Risk Assessment Administration Guide.
Related topics