The basis for the One Identity Manager structure is classic 3-tier architecture. However, in One Identity Manager the object layer (business logic) is shared. This allows high performance gain due to separate time and location processing.
The database represents the One Identity Manager kernel. It fulfills the main tasks, which are managing data and calculating inheritance. Object properties can be inherited along the hierarchical structures, such as, departments, cost centers, location or business roles. In the case of data management, the database maps the managed target systems, ERP structures as well as the compliance rules and access permissions.
The database is separated into two logical parts, payload and metadata. The payload contains all the information required to maintaining data, such as information about employees, user accounts, groups, memberships and operating data, approval workflows, attestation, recertification and compliance rules.
The metadata contains descriptions for the payload, such as, scripts for formatting rules and value templates or specific interaction. One Identity Manager’s entire system configuration, all the front-end control settings and the queues for asynchronous processing of data and processes are also part of the metadata.
Recalculation of inheritance is started by the database trigger logic. The triggers queue processing tasks in a task list called the "DBQueue". The DBQueue Processor processes these tasks and recalculates inheritance of the respective database objects. The table "Jobqueue" is used for storing processing tasks that are run from the object layer.
The database systems SQL Server or Oracle Database can be implemented.
The object layer enables object oriented access to the database data. The VI.DB.DLL creates entities for objects and collections. Entities use external session services to load (EntitySource) and save (UnitOfWork) data objects. Save operations are grouped so that several data objects can be saved in bulk. There are default events (Insert, Update, Delete) available for each object which can be generated after saving.
Each entity is assigned one or more processing logic routines (EntityLogic). These group together operations that can be carried out on an entity. Unique Customizers have been developed for different entities. A Customizer is one EntityLogic, which provides defined behavior for one entity. Customizers execute processing, logic which is normally implemented in the object code, such as mutual exclusion of properties.
A value template can be assigned to each of the generated object’s properties. Templates are implemented for generating user data or for transforming values. You can use templates to fill object properties with default values or to form property values from other properties of the same or other objects.
One Identity Manager uses so called 'processes' for mapping business processes. A process consists of process steps, which represent processing tasks and are joined by predecessor/successor relations. This functionality allows flexibility when linking up actions and sequences on object events. Processes are modeled using process templates. A process generator (Jobgenerator) is responsible for converting script templates in processes and process steps into a concrete process in the ’Job queue’.
The server service "One Identity Manager Service" ensures distribution in the network of data managed in the One Identity Manager database. The One Identity Manager Service performs data synchronization between the database and any connected target systems and executes actions at the database and file level. The One Identity Manager Service retrieves process steps from the JobQueue. Process steps are executed by process components. One Identity Manager Service also creates an instance of the required process component and passes the parameters to the process step. Decision logic monitors the execution of the process steps and determines how processing should continue depending on the results of the executed process components. The One Identity Manager Service enables parallel processing of process steps because it can create several instances of process components.
The One Identity Manager Service is the only One Identity Manager component authorized to make changes in the target system.
Strictly speaking, the One Identity Manager Service is part of the object layer because it does not contain any business logic. The One Identity Manager Service provides help for realizing asynchronous processing.
Figure 1: One Identity Manager Object Layer
The presentation layer consists of front-ends that are used for data input and output. There are different front-ends for different tasks. For example, a different front-end is used to configure One Identity Manager as that for managing employee data. The contents to be displayed and the extent to which it can be altered is determined in conjunction with the access rights of the respective user through the object layer. Available front-end solutions are client and browser based.
Clients connect to an application server storing business logic. The application server provides a connection pool for accessing the database and ensures a secure connection to the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved.
Clients can alternatively work without external application servers, by keeping the object layer themselves and accessing the database layer directly. In this case, only the part of the object layer required for the acquisition process is mapped in the clients.
There is an application running on a web server based on a web page render engine for implemented browser-based user interfaces. Users use a web browser to access the website that has been dynamically set up and customized for them. Data exchange between database and web server can take place directly or through the application server.
Figure 2: Layer Distribution with Application Server
Figure 3: Layer Distribution without Application Server
The object oriented access to tables and data sets takes place through the One Identity Manager object layer.
Figure 4: Access to Tables and Data Sets
The following applies to this:
Objects and collections are mapped through entities. Entities execute database operations using the following default methods:
When an object is loaded, all the columns are loaded. When a collection is loaded not all the columns are loaded, on the grounds of performance, only the primary key, all columns in the display template plus the details of whether an object is marked for deletion. Defined display templates specify how each collection object is displayed in the front-end. Defaults for the each table's display template are stored in the One Identity Manager schema and can be customized.
Furthermore, each object knows the following default events that can be generated as a result of saving:
Processes can be linked to these events that execute actions in different target systems, for example, to add user accounts, add a home directory on a server or write data to the One Identity Manager database.
|Front-end Action||Object State||Event on Saving||Database Action|
|Insert an object.||Object does not exist.||Insert||UID is created, Object is added to the database.|
|Change properties.||Object exists in the database and is loaded.||Update||Object properties are changed.|
|Delete object.||Object exists in the database and is loaded.||Delete||
For objects with the property "Marked for deletion" (XMarkedForDeletion):
Objects without the property "Marked for deletion" are deleted immediately.
All actions in One Identity Manager are executed over the object layer and saved in the One Identity Manager database. Each change to an object (insert, change, delete) is executed within a transaction. Another fixed item in a transaction of this type is creating the processes themselves. The transaction can only be successfully completed if the changes are saved are the processes have been successfully generated. If errors occur within the transaction the entire transaction is rolled backed.
The following is an example of how to inserting a object in One Identity Manager.
Take the following steps in the front-end:
Properties dependent on this object are created with template. Side-effects implemented in the Customizer are used, such as, exclusion of certain properties.
After saving the object in the front-end, the following step are executed in the object layer:
The following visual helps to show the flow of data when an object is inserted.
Figure 5: Dataflow Inserting a Object
The Designer is the main configuration component in One Identity Manager. The program offers an overview of the entire One Identity Manager data model. It enables the configuration of global system settings, for example, languages or configuration parameters such as customizing user interfaces for the various administration tools. It also allows the permissions structure to consolidate the various administrative tasks of each user and user groups. Another important task is the definition of workflows for technically illustrating the administration procedures in the company.
NOTE: The general functionality of One Identity Manager tools is described in the One Identity Manager User Guide for One Identity Manager Tools User Interface and Default Functions. Only additional Designer functions are described in the following.