Chat now with support
Chat with Support

Identity Manager 9.2.1 - Data Archiving Administration Guide

Permissions for the One Identity Manager History Database

Only minimal permissions are required to access the One Identity Manager History Database. There is a sample script HDB_Create_Login_User_Role.sql on the One Identity Manager installation media in the HDB\dvd\AddOn\SDK directory.

The script allows you to set up a database user with minimal permissions for read access and a database user for write access. You can use these database users when setting up the connection to One Identity Manager History Database in the TimeTrace.

Run the script with a suitable program for carrying out SQL queries on the One Identity Manager History Database.

Related topics

Updating a One Identity Manager History Database

IMPORTANT: As of One Identity Manager version 9.0, One Identity Manager History Database has been significantly simplified. On the one hand, this reduces the effort required to set up and operate the database and, on the other, enables the operation of Azure SQL Databases. The History Database only provides simplified data storage. The History Database neither includes One Identity Manager modules nor system configuration data. There are no active components anymore.

When updating a History Database with a version that is older than 9.0, note the following:

  • It is recommended to install the History Database first!

  • Existing databases are still supported for querying archived data in TimeTrace and reports. These databases do not need to be migrated.

  • If you still want to migrate an existing History Database, ensure that the all features, procedures, tables, and views that are not in the following list are deleted by the History Database migration:

    HistoryChain, HistoryJob, ProcessChain, ProcessGroup, ProcessInfo, ProcessStep, ProcessSubstitute, RawJobHistory, RawProcess, RawProcessChain, RawProcessGroup, RawProcessStep, RawProcessSubstitute, RawWatchOperation, RawWatchProperty, SourceColumn, SourceDatabase, SourceTable, WatchOperation, WatchProperty

    Save any custom extensions before migrating.

NOTE: Read the release notes for possible differing or additional steps for updating a One Identity Manager History Database.

To update a One Identity Manager History Database to a newer version

  1. Update the administrative workstation, on which the One Identity Manager History Database database schema update will be started. For more information about updating an administrative database, see the One Identity Manager Installation Guide.

  2. Make a backup of the One Identity Manager History Database.

  3. Run the One Identity Manager History Database schema update.

    • Start the Configuration Wizard on the administrative workstation.

      Select a user who has at least administrative permissions for the One Identity Manager database to update the One Identity Manager schema with the Configuration Wizard.

      • Use the same user that you used to initially install the schema.

      • If you created an administrative user during schema installation, use that one.

      • If you selected a user with Windows authentication to install the schema, you must use the same one for updating.

  4. On the Configuration Wizard home page, select the Update database option and click Next.

  5. On the Select database page, select the database and installation directory.

    1. Select the database connection in the Select a database connection pane. Select a user who at least has administrative permissions for the One Identity Manager database.

    2. In the Installation source pane, select the directory with the installation files.

  6. Other users with existing connections to the database are displayed on the Active sessions page.

    • Disconnect the connections on order to start database processing.

  7. The installation steps are shown on the Processing database page. Installation and configuration of the database are automatically carried out by the Configuration Wizard.

    TIP: Set Advanced to obtain detailed information about processing steps and the migration log.

  8. On the last page of the Configuration Wizard, click Finish.

Declaring a One Identity Manager History Database in the TimeTrace

Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace. The One Identity Manager Service service ensures the data is transferred from the One Identity Manager database to the One Identity Manager History Database.

NOTE: Any number of One Identity Manager History Databases can be used for analyzing historical data in the TimeTrace and in reports. Not only are One Identity Manager History Databases in the current format supported, but older formats in read-only mode also.

NOTE: Only one One Identity Manager History Database can be used as a destination for data transfer at a time, all other databases are read-only.

There are different ways to establish a connection to a One Identity Manager History Database:

Connecting a One Identity Manager History Database through an application server

Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace. Use the Designer to set up access to the One Identity Manager History Database.

Prerequisites for connecting a One Identity Manager History Database through an application server
  • Declaring the One Identity Manager History Database in the TimeTrace, requires an ID.

  • An ID for the One Identity Manager History Database connection is entered in the application server’s configuration file (web.config).

    • Enter a unique ID for each One Identity Manager History Database.

    • The ID must be entered in all application servers that can be used by users to log in to the Manager.

    • The ID must be entered for the application server that the One Identity Manager Service uses to connect.

  • The Manager and the Web Portal use the application server to log in. Otherwise the evaluation of the data changes in TimeTrace or in reports is not possible.

  • To generate and send report subscriptions and reports by email that show changes to data, there must be a Job server set up over an application server.

    For more information about setting up a Job server and about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

To link a One Identity Manager History Database into a TimeTrace

  1. Use the Designer to log in to the One Identity Manager database.

  2. In the Designer, select the Base Data > General > TimeTrace databases category.

  3. Select the Object > New menu item.

  4. Ensure that the Use ID from application server option is set.

  5. In History database name, enter the name of the One Identity Manager History Database.

  6. In the Connection parameter (read) field, enter the ID for connecting to the One Identity Manager History Database.

    The ID must match the ID in the application server’s configuration file.

  7. On the One Identity Manager History Database, where the data from the One Identity Manager database will be archived:

    1. Enable the Current transport target option.

    2. In the Connection parameter (transport) field, enter the connection parameters for connecting to the One Identity Manager History Database.

  8. Select the Database > Commit to database and click Save.

NOTE: Set the Disabled option to disable the connection at a later time. If a One Identity Manager History Database is disabled, it is not taken into account when determining change data in the TimeTrace.

To configure an ID in the application server for connecting to the One Identity Manager History Database

  • During installation of the application server, enter the ID for connecting to the One Identity Manager History Database.

  • To connect a One Identity Manager History Database at a later date, enter the ID for connection in the application server’s configuration file (web.config) in the <connectionStrings> section.

    Example:

    <connectionStrings>

    ...

    <add name="<History Database ID>" connectionString="Data Source=<database server>;Initial Catalog=<database name>;User ID=<database user>;Password=<password>"/>

    ...

    </connectionStrings>

NOTE: The connection credentials in the application server’s configuration file are encrypted with the default Microsoft ASP.NET encryption. If you want to change the connection credentials later, you must decrypt them first and then encrypt them again afterward. Use ASP.NET IIS registration tool to decrypt and encrypt (Aspnet_regiis.exe).

Example call:

Decrypt: aspnet_regiis.exe -pdf connectionStrings <path to web application in IIS>

Encrypting: aspnet_regiis.exe -pef connectionStrings <path to web application in IIS>

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating