Chat now with support
Chat with Support

Identity Manager 9.2.1 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics
Overview of the One Identity Manager schema Table types and default columns in the One Identity Manager data model Notes on editing table definitions and column definitions Table definitions Column definitions Table relations Dynamic foreign key Supporting file groups
Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on message output Notes on using date values Tips for using PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD notation Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider Processing DBQueue tasks One Identity Manager Service configuration files

Column definition properties

Table 27: Column properties
Property Description

Table

Name of the table to which the column belongs.

Column

Name of the column in the data model.

Display name

Language-dependent column name for displaying in the administration tools user interface. Translate the given text using the button.

Comment

Additional information about the column. The comment is displayed under the help function for a column in the individual administration tools. Translate the given text using the button.

Disabled by preprocessor

If a column is disabled by a preprocessor condition, the option is set by the Database Compiler. For more information, see Conditional compilation using preprocessor conditions.

Preprocessor condition

You can add preprocessor conditions to columns. The column is therefore only available when the preprocessor condition is fulfilled. For more information, see Conditional compilation using preprocessor conditions.

NOTE: In the Designer, you can find an overview of existing preprocessor dependencies in the One Identity Manager Schema > Preprocessor dependencies category.

Sort order

The sort order specifies the position for displaying the column on the generic form and the custom tabs of the default form. Columns with a value less than 1 are not displayed on the forms. For more information, see Displaying custom columns and tables on main data forms.

Group

Group is used to display the column on general main data forms. A new tab is created for each group on the generic form. For more information, see Displaying custom columns and tables on main data forms.

Base column

If a database view has the View table type, the reference to the column in the base table is entered here. For more information, see Database views of the View type.

Example:

The Department database view is part of the Basetree base table. The columns of the Basetree table are entered as base columns.

Column

Base column

Department.DepartmentName

BaseTree.Ident_Org

Department.Description

BaseTree.Description

Adjustment of permitted values list is not allowed

Specifies whether permitted values can be customized for this column. For more information, see Permitted column values.

Defined list of values

Marks whether the value in this column must correspond to the values in the List of permitted values, or are empty. For more information, see Permitted column values.

List of permitted values

If a column is enabled for editing the permitted values (that is, the Customizing permitted values list is not allowed option is not set and the Defined list of values option is set), you can add to or extend a value list. For more information, see Permitted column values.

Customizing bitmask is not allowed

Specifies whether the bitmask can be customized for this column. For more information, see Defining bitmasks.

Defined bitmask

Meaning of each bit position if the column contains a bitmask. The first bit in the definition start with the index 0. For more information, see Defining bitmasks.

Sort criteria of bitmask

Sort criteria for displaying the values. You have the following options:

  • Bit position: Sort by position.

  • Display: Sort by display value.

For more information, see Defining bitmasks.

Multilingual

Specifies whether this column can be given in multiple languages.

Permitted values are:

  • Translation target: The column content is displayed in translation.

  • Translation source: The column supplies the translation.

  • #LD content: The column has contents in #LD notation. The contents are extracted for translation.

  • Without text memory fallback: The text store is not used as fallback for the column.

The combination of values determines the resulting translation.

For more information, see Flagging columns for translation.

Syntax

Syntax type of data in this column. The syntax type is used to give One Identity Manager tools the appropriate syntax highlighting or input assistance.

Permitted syntax types are:

  • HTML: Input in HTML format.

  • Picture: Images.

  • SQL.Query: Full database queries.

  • SQL.Special: Special syntax for database queries.

  • SQL.WhereClause: WHERE clause for database queries.

  • Text.Dollar: Input in $ notation.

  • UNC: UNC path.

  • URL: URL.

  • VB.Class: Full VB.Net class definitions.

  • VB.Instruction: VB.Net statements in the form Value =.

  • VB.Method: Single methods or functions in VB.Net.

  • XML: Input in XML format.

  • ConnectionString: Input as a connection string.

  • JSON: Input in JSON format.

  • Color: Input of color codes.

Number of decimal places

Number of decimal places used to display values.For more information, see Defining decimal places for displaying values.

Date add-on

Additional information about displaying date and time in One Identity Manager tools.

Index weighting

Column weighting in indexing. Used for indexing the full-text search. Increasing weighting results in a higher position in the search results.

If the value is less than or equal to 0, no indexing takes place. If the value is greater than 0, the data value is indexed. Columns to be indexed are assigned a weighting of 1 in the default installation.

For more information, see Configuring columns for full-text search.

Data type in database

Shows the .Net data type for the column. This is used internally and cannot be edited. The Net data types are mapped internally to SQL data types. If no value is given, the data type is taken from the database schema.

Permitted syntax types are:

.Net data type Mapped SQL data type

Binary

varbinary, timestamp

Bool

bit

Date

datetime

Double

float

Int

int

Long

bigint

String

nvarchar/varchar/nchar

Text

nvarchar/varchar

Maximum size in DB

Maximum column length in the database schema.

Minimum size in DB

Minimum column length in the database schema.

Primary key

The primary key is given when the database is created.

UID column

Specifies whether this is UID column. This option is only permissible for columns with the String .Net data type and a length of 38 characters.

Default value

Specifies whether a default value is defined by a template for this column.

BLOB value

This option is used to label text columns whose data contents is so large that they cannot be kept internally in one line in the SQL sever and are therefore saved as a reference. This allows speedier access to the data.

Log changes

Specifies whether changes to this column are logged. For more information, see Logging data changes.

Log changes when deleting

Specifies whether the column is to be logged when an object is deleted. For more information, see Logging data changes.

Export for SPML schema

Specifies whether the table is to be exported for the SPML schema.

Not for export (XML export)

This column is not exported in data transports. The property is taken into account when data is transported between databases.

Not for import (XML import)

This column is not imported in data transports. The property is taken into account when data is transported between databases.

MVP column

This column is a multi-valued-property (MVP) containing individual value entries that are separated by char(7) or chr(7).

Multi-value specification

You can specify additional requirements on the values of an MVP column. You have the following options:

  • Unique: Set this option if the value must be unique.

  • Case sensitive: Set this option if the case sensitivity should be taken into account when the value is tested.

  • Accent insensitive: Set this option if accent characters should not be taken into account when the value is tested.

For more information, see Specifying requirements for MVP columns.

Multiline

Specifies whether the parameter contents can have multiple lines. Columns that are labeled with this option are displayed on a generic form with multiline input fields.

Permissions not issued automatically

For custom columns in a predefined table, permissions are not automatically assigned to predefined permissions groups, even though the Common | AutoExtendPermissions configuration parameter is set.

Column contains description

One column with a description can be labeled with this option per table. The description is only displayed on user interface assignment controls.

Contains name properties for password check

Specifies whether the column contains name properties. Depending on the password policy configuration, columns with name properties may be included in the password check. For more information about password policies, see the One Identity Manager Operational Guide.

Column contains hierarchy information

One column which maps hierarchy information in readable form can be labeled with this option per table. The column is used to map the hierarchy to the user interface assignment controls.

Part of primary key

This column is part of the primary key.

Part of alternative primary key

Alternative primary keys are already specified in the default version, but the definition can be customized. Alternative primary keys are used for data transport amongst other things.

Part of the key of a many-to-all table

Identifier of the foreign key of a many-to-all table The foreign key and the dynamic foreign key of a many-to-all table are identified with this option.

Show in wizards

Specifies whether the column is offered in the Rule Editor for compliance rules to create queries and in the Web Portal to display tabular overviews.

Recursive key

Specifies whether this column references a parent object. This input is needed for displaying hierarchical tables.

Example:

In the ADSContainer table, the UID_ParentADSContainer column contains the reference to the parent Active Directory container. The UID_ParentADSContainer column is labeled with this option in order to display this hierarchical link on forms.

Encrypted

Specifies whether the value in this column is encrypted. When the database is encrypted the value in this column is encrypted.

NOTE: If you set this option on database columns, you must encrypt the database again. For more information about database encryption, see the One Identity Manager Installation Guide.

Dynamic foreign key

Dynamic foreign keys refer to the object key in other tables. The object key comprises the table name and the values of the primary key of the actual object. Permitted tables can be limited. All tables are permitted, if there are no restrictions. For more information, see Dynamic foreign key.

No log

Specifies whether the column content is recorded in logs. For example, in the One Identity Manager Service log.

Proxy view column

If the column is used in a database view of the Proxy type, the corresponding column is entered in the view. For example, the column ADSDomain.DisplayName is mapped in the UNSRoot view to column RootObjectDisplay. For more information, see Database views of the proxy type.

Table Lookup Support

Each value in these columns is prepared for fast table lookup support. The search is also supported by single values in MVP columns. The internal mapping of prepared data in done in the QBMSplittedLookup table.

Permitted values are:

  • Central user account (CentralAccount)

  • Email address (EMail)

You can extend the list of permitted values and customize the results.

  • In the Designer, flag columns containing a user account name with the Central user account value in the Table lookup support property.

  • In the Designer, flag columns containing an email address with the Email address value in the Table lookup support property.

The functionality can be used for finding a unique central user account, for example, or a unique default email address for an identity. In the default installation, columns that are taken into account when the central user account or an email address are mapped are labeled with this property. The results are shown in the QERCentralAccount and QERMailAddress database views.

Remarks (custom)

Text field for additional explanation.

Custom template/formatting not permitted

Specifies whether column's the default configuration can be changed by the user, such as, templates, formatting, minimum length, maximum length, column format.

Max. length

Maximum length of the column. If the value is equal to 0, the length from the database schema is used.

Minimum Length

Minimum length of the column. For columns that are displayed as required input fields in the administration tools user interface, set the minimum length to 1 or higher.

Column format

Specify the format permitted for value in this column. For more information, see Using predefined formatting types.

You can control the permitted format for the column with formatting types and formatting scripts.

Overwrites

Specifies whether the template can overwrite or not. If this option is set, the value template is always applied. If the option is not set, the value template is only applied when the column is empty. For more information, see Editing value templates.

Template

  • Template script. Write the script in VB.Net syntax. This allows all VB.Net script functions to be used. For more information, see Editing value templates.

  • Threshold (stop)

    Limit for the number of objects changed directly by a template. Once this limit has been reached, processing is stopped with an error message. For more information, see Restricting performance of value templates.

    NOTE: If a stop threshold value is specified, it must be larger than the threshold for asynchronous processing.

    Threshold (asynchronous)

    Limit for the number of objects changed directly by a template. Once this limit has been reached, processing takes place synchronously with the One Identity Manager Service. For more information, see Restricting performance of value templates.

    No automatic truncation by template

    Specifies whether the value is automatically truncated to the maximum column length if the maximum length is exceeded when applying a template. If this option is enabled, the value is not automatically truncated to the maximum column length. For more information, see Editing value templates.

    Formatting script

    Formatting script for the column. The formatting script for checking values is written in VB.Net syntax, which allows usage of all VB.Net script functions.

    Visibility script

    Script for conditional displaying of columns in One Identity Manager tools. For more information, see Scripts for conditionally displaying and editing columns.

    Editability script

    Script for conditional editing of columns in One Identity Manager tools. For more information, see Scripts for conditionally displaying and editing columns.

    Foreign key

    The column references an object in another table.

    Average column length

    Information is determined once a day through the maintenance tasks. The data material can help to plan capacities and maintenance work on the database.

    Template changed

    (Only for internal use) This indicates that the template was changed.

    No DB Transport

    Columns labeled with this option cannot be excluded from a custom configuration package. These columns are excluded from data transport.

    Mapping direction

    Specifies the mapping direction that will be applied to this column when synchronizing between two One Identity Manager databases. For more information about this, see the One Identity Manager User Guide for the One Identity Manager Connector.

    Synchronization information

    Additional information required for synchronization that is evaluated by the One Identity Manager connector.

    • Not relevant for synchronization: The column is not displayed in the Synchronization Editor.

    • Has unique value: The column contains a unique value.

    • Has conditional default value: The column contains a value that is formatted automatically under certain conditions, for example by a customizer.

    • Has a default value: The column contains a value that is formatted automatically, for example by a formation rule.

    • Conditional mandatory column: The column is a mandatory column under certain conditions, for example if the value is checked by triggers.

    • Mandatory column: The column is a mandatory column.

    • Multi-value sort order is significant: When identifying rogue modifications, the order of the values of multi-value schema properties is taken into account.

    For more information about this, see the One Identity Manager Target System Synchronization Reference Guide.

    Related topics

    Table relations

    As you can see from the One Identity Manager data model, parent/child relations exist between objects. If an object is processed by the One Identity Manager's object layer, all ForeignKey (FK) objects that are related to this object can be accessed. Use VB.Net notation to access objects access using relations.

    Figure 11: Parent/child relation using the example of a person ADSAccount

    NOTE: You can always edit table relations of custom tables. The table relation supplied with the default tables can only be edited if the referential integrity has been tested using the object layer.

    To edit table relations

    1. In the Designer, select the One Identity Manager schema category.

    2. Select the table and start the Schema Editor with the Show table definition task.

    3. Under Table relations, select the table relation and edit the properties in the Relation properties view.

    4. Select the Database > Commit to database and click Save.

    Table 28: Table relation properties
    Property Description

    Display name

    Language-dependent relation for displaying in the administration tool’s user interface.

    Only transport as group

    Specifies if the contents of the table should be transferred together with the contents of the referenced table during data transports. You can combine the values. Permitted values are:

    • No value: Dependencies are not taken into account.

    • CR direction: The table relations are labeled with the values CR direction and FK direction. Superset handling is carried out.

    • FK direction: All objects referenced by a foreign key are also exported. Superset handling is carried out.

    • Ignore in superset handling: Referenced objects that are in the target system but not included in the transport package are not deleted.

    Example:

    When a process is transported (JobChain table), the process steps (Job table), events (JobEventGen and QBMEvent tables) and the process step parameters (JobRunParameter table) should also be transported. This should happen whether or not the process, a single process step or a process step parameter is transferred to a transport package. The table relations are labeled with the values CR direction and FK direction.

    The parameter templates (JobParameter table) that are used in the (JobRunParameter table) process step parameters must not be transferred during the transport. The table relations are not labeled with a value.

    Update dependencies modification date

    When many-to-many entries are added, changed, or deleted, the value in the XDateSubItem column the associated parent entries is updated. Required for provisioning memberships in the target system.

    Export for SPML schema

    Specifies whether the table is to be exported for the SPML schema.

    Parent object in Job queue

    Specifies whether the parent object is added to the list of objects affected by a process. This can prevent the parent object from being processed simultaneously more than once.

    Parent column

    Unique parent column identifier.

    Configurable parent relation

    Specifies whether referential integrity can be configured.

    Parent relation test instance

    Specifies who will run these referential integrity tests. Permitted values are:

    • DLL: Checks through the object layer.

    • Trigger: Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

    • Nothing: No test.

    Parent relation constraint

    Constraint on the relation. Permitted values are:

    • Delete: Dependencies are not taken into account on deletion.

    • Delete Cascade: All dependent objects are deleted when this object is deleted.

    • Delete Restrict: The object can only be deleted when no more references to other objects exist.

    • Delete Set NULL: When deleting the object, references to the object being deleted are removed from all dependent object (SetNULL).

    Generated restriction test for parent relation

    Identifier for triggers and constraints that are automatically generated by the DBQueue Processor.

    Connected column

    Unique connected column identifier.

    Configurable child relation

    Specifies whether referential integrity can be configured.

    Child relation test instance

    Specifies who will run these referential integrity tests. Permitted values are:

    • DLL: Checks through the object layer.

    • Trigger: Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

    • Nothing: No test.

    Child relation constraint

    Constraint on the relation. Permitted values are:

    • Insert: Dependencies are not taken into account on insertion.

    • Insert Restrict: Checks for the referenced object when the object is added.

    Generated restriction test for child relation

    Identifier for triggers and constraints that are automatically generated by the DBQueue Processor.

    Relation ID

    Relation identifier. This is used for both directions.

    M:N relation

    Specifies whether the child relation can be reached by a many-to-many relation.

    table relation

    Unique identifier for table relation.

    Relation (base)

    Link to underlying base relation assuming a view is part of a the relation.

    Relation (M:N)

    Unique identifier for the M:N relation.

    Related topics

    Dynamic foreign key

    Dynamic foreign keys are used if a reference can point to different tables. For example, the manager of a user account (<MMM>Account.ObjectKeyManagertable) can be another user account (<MMM>Account table) or a group (<MMM>Group table).

    Dynamic foreign keys reference the object key (XObjectKey) of the permitted tables. Permitted tables can be limited. All tables are permitted, if there are no restrictions. Restrictions are stored in the DialogValidDynamicRef table.

    If you are defining custom dynamic foreign keys, at least one of the participating partners (dynamic foreign key column or referenced table) must be a custom object. It is not possible to extend predefined dynamic foreign keys by adding references to predefined tables.

    To display a dynamic foreign key

    1. In the Designer, select the One Identity Manager schema category.

    2. Select the table and start the Schema Editor with the Show table definition task.

      Dynamic foreign keys are displayed under Dynamic table relations.

    To define a dynamic foreign key

    1. In the Designer, select One Identity Manager Schema.

    2. Select the table and start the Schema Editor with the Show table definition task.

    3. Select the column and then the Column properties view.

    4. On the Miscellaneous tab, enter the following information.

      1. Enable the Dynamic foreign key option.

      2. If the dynamic key is part of a many-to-all table, enable the Part of key of many-to-all table option.

    5. Enter the following information on the Valid reference tables tab by clicking next to Dynamic referenced tables menu and enter the following information:

      Table 29: Properties of dynamic foreign keys
      Property Description

      Table

      Select the table to find the object key in.

      Parent relation constraint

      Constraint on the relation. Permitted values are:

      • Delete: Dependencies are not taken into account on deletion.

      • Delete Cascade: All dependent objects are deleted when this object is deleted.

      • Delete Restrict: The object can only be deleted when no more references to other objects exist.

      • Delete Set NULL: When deleting the object, references to the object being deleted are removed from all dependent object (SetNULL).

      Parent relation test instance

      Specifies who will run these referential integrity tests. Permitted values are:

      • DLL: Checks through the object layer.

      • Trigger: Triggers and constraints are implemented to monitor the database.

      Child relation constraint

      Constraint on the relation. Permitted values are:

      • Insert: Dependencies are not taken into account on insertion.

      • Insert Restrict: Checks for the referenced object when the object is added.

      Child relation test instance

      Specifies who will run these referential integrity tests. Permitted values are:

      • DLL: Checks through the object layer.

      • Trigger: Triggers and constraints are implemented to monitor the database.

      Only transport as group

      The column content is always transported together with the content of the referenced column.

      Parent object in Job queue

      Specifies whether the parent object is added to the list of objects affected by a process. This can prevent the parent object from being processed simultaneously more than once.

    6. Select the Database > Commit to database and click Save.

    Related topics

    Supporting file groups

    One Identity Manager supports file groups to group tables together to help with administration, data assigning and data distribution. A distinction is made between logical disk stores and physical disk stores.

    In the default installation, logical disk stores are predefined for the table in each module of One Identity Manager and the system tables. You cannot change the assignments. You can create your own logical disk storage for grouping custom tables.

    To define logical storage for custom tables

    1. In the Designer, select the One Identity Manager Schema > Logical disk stores category.

    2. Select the Object > New menu item.

    3. Enter a name and description for the logical storage.

    4. Assign custom tables to the logical disk store.

    5. Select the View > Select table relations menu item and enable the DialogTable table. This shows the Tables tab for assigning tables.

    You can link logical storage with physical storage - the file groups - in the One Identity Manager schema.

    If, for example, tables with identity data and tables with Active Directory content are created on different a data storage medium, performance can be improved by parallel access through your own E/A controller. Performance can also be improved if, for example, tables for processing DBQueue Processor tasks or table for handling processes in file groups are grouped together.

    NOTE: You cannot move the following groups into other file groups. If you do so, proper functioning of the One Identity Manager database cannot be guaranteed.

    • DialogColumn

    • DialogTable

    • DialogValidDynamicRef

    • QBMDBQueueTask

    • QBMDBQueueTaskDepend

    • QBMModuleDef

    • QBMModuleDepend

    • QBMRelation

    • QBMViewAddOn

    • QBMDiskStoreLogical

    • QBMDiskStorePhysical

    One Identity Manager supports the distribution of tables to file groups with a variety of database procedures that you run in a suitable program for running SQL queries in the database.

    WARNING: Only carry out the following steps for implementing file groups, together with an experienced database administrator.

    Ensure that the database cannot be accessed while file groups are being set up, for example, by the Job server, application server, web server, user interfaces, or the Web Portal. After restarting the DBQueue Processor, wait for all DBQueue tasks to be processed before reconnecting the database.

    IMPORTANT: Select a user that you use for migrating the database to run the SQL queries.

    To distribute tables to file groups under SQL Server

    1. Create your file groups. For more information about this, see the documents for your currently installed version of SQL Server.

    2. Synchronize the file groups to the One Identity Manager database. Run the query below using a suitable program for carrying out SQL queries in the database.

      exec QBM_PDiskStorePhysicalSync

    3. In the Designer, assign physical storage to logical storage.

      1. In the Designer, select the One Identity Manager Schema > Logical disk stores category.

      2. Select the logical disk store and in the Properties view, select the file group under Physical disk store.

      3. Select the Database > Commit to database and click Save.

    4. Disable processing of DBQueue Processor tasks and process handling. Run the queries below using a suitable program for carrying out SQL queries in the database.

      exec QBM_PWatchDogPrepare 1

      exec QBM_PDBQueuePrepare 1

    5. Move the tables into the configured file groups. Run the query below using a suitable program for carrying out SQL queries in the database.

      exec QBM_PTableMove

    6. Reactivate the DBQueue Processor. Run the queries below using a suitable program for carrying out SQL queries in the database.

      exec QBM_PDBQueuePrepare 0,1

      exec QBM_PWatchDogPrepare

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating