Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Mapping Dynamic Foreign Keys

You can use dynamic foreign keys if a reference is able to point to different tables. For example, a user account's manager (table ADSAccount.ObjectKeyManager) can be another user account (table ADSAccount) or a group (ADSGroup).

Dynamic foreign keys reference object key (XObjectKey of the permitted tables. Permitted tables can be limited. All tables are permitted, if there are no restrictions. Restrictions are stored in the table, DialogValidDynamicRef.

To edit dynamic foreign keys

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the column and set the option Dynamic foreign key on the More tab.
  4. If the dynamic key is part of a many-to-all table, set the option Part of the key of a many-to-all table.
  5. Enter the following information on the Valid reference tables by clicking next to Dynamic referenced tables and enter the following information:
    Table 105: Properties for Dynamic Foreign Keys
    Property Description
    Table Tables to use for determining the object key.
    Only transport as group The contents of the column are always transferred together with the contents of the referenced column.
    Parent relation constraint Relation constraint, for example, IR - Insert Restrict, DC - Delete Cascade.
    Parent relation test instance

    This referential integrity should be checked by D - DLL, T - Trigger or N - Nothing.

    Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account.

    Child relation constraint Relation constraint, for example, IR - Insert Restrict, DC - Delete Cascade.
    Parent relation test instance

    This referential integrity should be checked by D - DLL, T - Trigger or N - Nothing.

    Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account.

Table 106: Permitted Restrictions for Testing Referential Integrity
Restriction Meaning
DeleteNotRestricted (D) Dependencies are not taken into account on deletion.
DeleteRestrict (DR) The object can only be deleted when no more references to other objects exist.
DeleteCascade (DC) All dependent objects are deleted when this object is deleted.
DeleteSetNULL (DS) All links to other objects are deleted when the object is deleted (SetNULL).
InsertNotRestricted (I) Dependencies are not taken into account on insertion.
InsertRestrict (IR) Checks for the referenced object when the object is added.
Related Topics

Column Dependencies for Setting Values

There may be dependencies between individual values, for example, by using value templates or customizers that require values to be set in a specific order. In the case of administration tools the correct order is enforced through blocking or releasing input fields. In the case of data import and when using SPML and web service interfaces, the correct order for setting values also has to be safeguarded.

The following data sources assume the following sequence for specifying the order for setting values:

  1. Customizer

    The dependencies between columns and an object are stored in customizers.

  2. Custom dependencies

    In order to create a customer specific definition of dependence between columns, you select a table column in the Schema Editor and specify a predecessor for the column under Dependencies.

  3. Column dependencies due to value templates

    In this case, values used by a template (for example Person.Firstname, Person.Lastname) are set before values that are created by a template (for example Person.CentralAccount).

If circular dependencies occur whilst determining the order for setting the values, they are aborted at the point of lowest priority.

Related Topics

Configuring Columns for Full-Text Search

Full-text searching uses an external search index, which returns an object key as result. The object key is used to run a search query in the database. This database search query takes the permissions of the logged in user into account during the search. A maximum of 1000 objects can be returned by through the search index.

The One Identity Manager full text search can be used in the Web Portal and in the Manager.

  • Prerequisites for using full text search is an application server installed with the search service.
  • If you run the Web Portal directly over an application server installed with the search service, you can use the full text search immediately.
  • If you are working with the Web Portal and an application server without a search service installed or with a direct database connection, you will need to enter an application server with a search service in the Web Portal configuration file. Full text search is available in the Web Portal once this has been done.
  • To use full text search in the Manager, you must run the Manager over an application server with an installed search service.

For more detailed information about installing on an application server and configuring the Web Portal for full text search, see the One Identity Manager Installation Guide.

The following applies to configuring columns for full text search:

  • Columns for full text searching must be weighted. The higher the weighting, the higher the position in the search results. Columns for full text search are predefined with "1" in the default installation.

    Example:

    The column Person.CentralAccount has a weighting value of "1". The column "ADSAccount.SAMAccountName" is weighted with "0.5". This results in the employee being listed before the user account in the full text search.

  • Only columns with the data types "string" or "text" can be added to the full text search.
  • Table columns with the usage type "work tables" or "historic transaction data" cannot be added in the full text search.

The search service indexes the:

  • Column content
  • Foreign key column display value
  • Display values for lists of permitted values
  • Translation for every active language
  • Object display value, if the table's primary key column is configured for full text search

    The object's display value comes from the display pattern defined for the table. The display value's weighting comes from the table's primary key column weighting

    Example:

    The column Person.UID_Person is configured for full text search. The display pattern of the table Person is defined as %InternalName% (%CentralAccount%). This indexes the display value "Clara Harris (CLARAH)" for employee "Clara Harris".

The searched index is updates when changes are made to a table with indexed columns, to referenced tables or translations.

Certain important columns are already indexed for full text search in the default installation. You configure more columns for full text searching if you require.

To configure a column for full text search

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the column and edit the property Index weighting.
    • If the value is less than or equal to "0", no indexing takes place.
    • If the value is greater than "0", the data value is indexed.

For more detailed information about using the full text search, see the One Identity Manager Web Portal User Guide and the One Identity Manager User Guide for One Identity Manager Tools User Interface and Default Functions.

Related Topics

Mapping Table Relations

As you can see from the One Identity Manager data model, parent/child relations exist between objects. When an object is processed by a One Identity Manager DLL, all ForeignKey (FK) objects that are related to this object can be accessed. Use VB.Net notation to access objects access using relations.

Figure 21: Parent/Child Relation using the Example of an Employee ADSAccount

The tables and column are stored in the table QBMRelation. Predefined relations of the One Identity Manager data model are maintained through schema installation and cannot be edited apart from a few exceptions.

A connector’s tooltip shows the table relations in the schema overview (menu item Options | Data model). This tooltip contains the name of the tables that are related to it and the table relation properties. A single mouse click on the connector opens the table relation properties in the edit view.

Figure 22: Graphical Representation of Table Relations in the

NOTE: Custom table relations are always editable. Table relation supplied with the default tables can only be edited if the referential integrity has been tested using the DLL.

IMPORTANT: Use the program, "Schema Extension" to extend the One Identity Manager data model. Schema extensions are added to the database using "Schema Extension" and the necessary extensions are made in the One Identity Manager data model.

To edit table relations

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the table relation and edit the properties.
Table 107: Table Relation Properties
Property Meaning
Display name Language dependent relation for displaying in the administration tool’s user interface.
Only transport as group In the case of data transport, the contents of tables are always transferred together with the contents of the tables that are referenced. For example, the tables JobChain, Job and JobRunParameter.
Update dependencies modification date When many-to-many entries are added, changed or deleted the value in the XDateSubItem column in one of the parent entries is updated. Required for provisioning memberships in the target system.
Export for SPML schema This option determines whether the table relation should be exported for the SPML schema.
Parent column Unique parent column identifier.
Configurable parent relation Specifies whether referential integrity can be configured.
Parent relation test instance

Specifies how referential integrity is tested. Through DLL, Trigger or Nothing.

Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

Parent relation constraint Constraint on the relation, for example, IR - Insert Restrict.
Generated restriction test for parent relation Abbreviation for triggers and constraints generated automatically by the DBQueue Processor.
Connected column Unique connected column identifier.
Configurable child relation Specifies whether referential integrity can be configured.
Child relation test instance

Specifies how referential integrity is tested. Through DLL, Trigger or Nothing.

Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

Child relation constraint Relation restriction, for example, IR - Insert Restrict.
Generated restriction test for child relation Abbreviation for triggers and constraints generated automatically by the DBQueue Processor.
Relation ID Relation identifier. This is used for both directions.
M:N relation Can relation be reached using an many-to-many relation?
table relation

Unique identifier for table relation.

Relation (base) Link to underlying base relation assuming a view is part of a the relation.
Relation (M:N) Unique identifier for the M:N relation.
Table 108: Permitted Restrictions for Testing Referential Integrity
Restriction Meaning
DeleteNotRestricted (D) Dependencies are not taken into account on deletion.
DeleteRestrict (DR) The object can only be deleted when no more references to other objects exist.
DeleteCascade (DC) All dependent objects are deleted when this object is deleted.
DeleteSetNULL (DS) All links to other objects are deleted when the object is deleted (SetNULL).
InsertNotRestricted (I) Dependencies are not taken into account on insertion.
InsertRestrict (IR) Checks for the referenced object when the object is added.
Related Topics
Related Documents