Chat now with support
Chat with Support

Identity Manager 8.1.5 - Native Database Connector User Guide for the CData ADO.NET Provider

Native database connector for CData ADO.NET Provider databases

With this native database connector, you can synchronize external databases with the One Identity Manager database. One Identity Manager supports connecting to CData ADO.NET Provider databases, amongst others.

The native database connector cannot load any random external database system data configuration. For example, custom data types and columns containing value list are not currently supported.

The native database connection does not provide a project template for setting up synchronization. You must create synchronization configuration components (such as mappings, workflows or start up configurations) manually after the synchronization project has been saved.

In the Synchronization Editor, external database tables and columns are referenced as schema types and schema properties.

To set up synchronization with a database

  1. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.

  2. Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.

  3. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing

In the synchronization with the database connectors, there are three use cases for mapping synchronization objects in the One Identity Manager data model.

  1. Mapping custom target systems

  2. Mapping default tables (for example Person or Department)

  3. Mapping custom tables

In the case of non role-based login to One Identity Manager tools, it is sufficient to add one system user in the DPR_EditRights_Methods permissions group. For detailed information about system users and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Table 1: Users and permissions groups for non role-based login
User Tasks

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

System users in the DPR_EditRights_Methods permissions group

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

There are different steps required for role-based login, in order to equip One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.

Table 2: User and permissions groups for role-based login: Mapped as custom target system
User Tasks

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | Custom target systems application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

Table 3: User and permissions groups for role-based login: Mapped as default tables
User Tasks

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Custom application role

Users with this application role:

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

This application role gets its write access through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

Table 4: Users and permissions groups for role-based login: Mapped in custom tables
User Tasks

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Application roles for custom tasks

Administrators must be assigned to the Custom | Administrators application role.

Users with this application role:

  • Administrate custom application roles.

  • Set up other application roles for managers if required.

Manager for custom tasks

Managers must be assigned to the Custom | Managers application role or a child role.

Users with this application role:

  • Add custom task in One Identity Manager.

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

You can use these application roles, for example, to guarantee One Identity Manager users write permissions on custom tables or columns. All application roles that you define here must obtain their write permissions through custom permissions groups.

This application role gets its write access through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

To configure synchronization projects and target system synchronization (in the use cases 2 and 3)

  1. Set up a custom permissions group with all permissions for configuring synchronization and editing synchronization objects.

  2. Assign a custom application role to this permissions group.

Detailed information about this topic

Setting up a custom application role for synchronization

For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.

To set up an application role for synchronization (use case 2):

  1. In the Manager, select the default application role to use to edit the objects you want to synchronization.

    • Establish the application role's default permissions group.

    If you want to import employee data, for example, select the Identity Management | Employees | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.

  2. In the Designer, create a new permissions group.

    • Set the Only use for role based authentication option.

  3. Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    The vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  4. Make the new permissions group dependent on the default permissions group of the selected default application role.

    The default permissions group must be assigned as a subgroup. This means that the new permissions group inherits the properties.

  5. Save the changes.

  6. In the Manager, create a new application role.

    1. Assign the selected application role to be the parent application role.

    2. Assign the new permissions group.

  7. Assign employees to this application role.

  8. Save the changes.

To set up an application role for synchronization (use case 3):

  1. In the Designer, create a new permissions group for custom tables, which are populated though synchronization.

    • Set the Only use for role based authentication option.

  2. Guarantee this permissions group all the required permissions to the custom tables.

  3. Create another permissions group for synchronization.

    • Set the Only use for role based authentication option.

  4. Make the permissions group for synchronization dependent on the permissions group for custom tables.

    The permissions group for custom tables must be assigned as parent permissions group. This means the permissions groups for synchronization inherits its properties.

  5. Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    The vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  6. Save the changes.

  7. In the Manager, create a new application role.

    1. Assign the Custom | Managers application role as the parent application role.
    2. Assign the permissions group for the synchronization.

  8. Assign employees to this application role.

  9. Save the changes.

For detailed information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Setting up the synchronization server

A server with the following software must be available for setting up synchronization:

  • CData ADO.NET Provider

  • One Identity Manager Service

    • Install One Identity Manager components with the installation wizard.

      1. Select Select installation modules with existing database.

      2. Select the Server | Job server machine role.

    For more detailed information about system requirements for installing the One Identity Manager Service, see the One Identity Manager Installation Guide.

The synchronization server must be declared as a Job server in One Identity Manager.

Use the One Identity Manager Service to install the Server Installer. The program executes the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For detailed information about setting up Job servers, see the One Identity Manager Configuration Guide.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed. For detailed information about installing a workstation, see the One Identity Manager Installation Guide.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  2. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  3. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using this unique queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  4. On the Machine roles page, select Job server.

  5. On the Server functions page, select Native database connector.

  6. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For detailed information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection | sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  7. To configure remote installations, click Next.

  8. Confirm the security prompt with Yes.

  9. On the Select installation source page, select the directory with the install files.

  10. On the Select private key file page, select the file with the private key.

    NOTE: This page is only displayed when the database is encrypted.

  11. On the Service access page, enter the service's installation data.

    • Computer: Name or IP address of the server that the service is installed and started on.

    • Service account: User account data for the One Identity Manager Service.

      • To start the service under the NT AUTHORITY\SYSTEM account, set the Local system account option.

      • To start the service under another account, disable the Local system account option and enter the user account, password and password confirmation.

    • Installation account: Data for the administrative user account to install the service.

      • To use the current user’s account, set the Current user option.

      • To use another user account, disable the Current user option and enter the user account, password and password confirmation.

    • To change the install directory, names, display names, or description of the One Identity Manager Service, use the other options.

  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating