Supporting File Groups
One Identity Manager supports file groups to group tables together to help with administration, data assigning and data distribution. One Identity Manager differentiates between logical storage and physical storage.
In the default installation, logical disk stores are predefined for the table in each module of the One Identity Manager and the system tables. You cannot change the assignments. You can create your own logical disk storage for grouping custom tables.
To define logical storage for custom tables
- Select the category One Identity Manager Schema | Logical disk stores in the Designer.
- Select Object | New in the menu.
- Enter a name and description for the logical storage.
- Assign custom tables to the logical disk store.
-
Select the menu item View | Select table relations... and enable the table DialogTable. This shows the tab Tables for assigning tables.
You can link logical storage with physical storage - the file groups - in the One Identity Manager schema. If file groups are created on different data medium, you can use parallel accessing to enhance the performance of tables with high change rates. An example of this is tables for processing DBQueue Processor tasks or table for process handling.
|
|
NOTE: You cannot move the following groups into other file groups, otherwise proper functioning of the One Identity Manager database cannot be guaranteed.
|
One Identity Manager supports distribution of table to file groups using a set of database procedures, which you an run in the database using a suitable query tool.
|
|
WARNING: Only carry out the following steps for implementing file groups, together with an experienced database administrator. Ensure that the database cannot be access while file groups are being set up, for example, by the Job server, application server, web server, user interfaces, Web Portal. After reactivating the DBQueue Processor, wait until all DBQueue tasks have been processed before you allow new database connections. |
To distribute tables to file groups under SQL Server
- Create your file groups. For detailed information about this, see the documents for your currently installed version of SQL Server.
- Synchronize the file groups in the One Identity Manager database. Run the following query in the database using a suitable query tool.
exec QBM_PDiskStorePhysicalSync
- Assign physical storage to logical storage in the Designer.
- Select the category One Identity Manager Schema | Logical disk stores in the Designer.
- Select the logical disk store and select the file groups under Physical disk store.
-
Save the changes to the database using Database | Commit to database....
- Disable processing of DBQueue Processor tasks and process handling. Run the following query in the database using a suitable query tool.
exec QBM_PWatchDogPrepare 1
exec QBM_PDBQueuePrepare 1
- Move the tables into the configured file groups. Run the following query in the database using a suitable query tool.
exec QBM_PTableMove
- Reactivate the DBQueue Processor. Run the following query in the database using a suitable query tool.
exec QBM_PDBQueuePrepare 0,1
exec QBM_PWatchDogPrepare
To distribute tables to tablespaces under Oracle Database
- Create your tablespaces and make them available for use by One Identity Manager database users. For detailed information about this, see the documents for your currently installed version of Oracle Database.
- Synchronize the tablespaces in the One Identity Manager database. Run the following query in the database using a suitable query tool.
begin QBM_GCommon2.PDiskStorePhysicalSync(); end;
- Assign physical storage to logical storage in the Designer.
- Select the category One Identity Manager Schema | Logical disk stores in the Designer.
- Select the logical disk store and select the tablespace under Physical disk store.
-
Save the changes to the database using Database | Commit to database....
- Disable processing of DBQueue Processor tasks and process handling. Run the following query in the database using a suitable query tool.
begin QBM_GWatchDog.PPrepare(1); end;
begin QBM_GDBQueue.PDBQueuePrepare(1); end;
- Move the tables (including LOBs ad indexes) to the configured tablespaces. Run the following query in the database using a suitable query tool.
begin QBM_GCommon2.PTableMove(); end;
- Reactivate the DBQueue Processor. Run the following query in the database using a suitable query tool.
begin QBM_GDBQueue.PDBQueuePrepare(0); end;
begin QBM_GWatchDog.PPrepare(0); end;
Granting One Identity Manager Schema Permissions
Granting One Identity Manager Schema Permissions
Permissions for accessing tables and columns of the One Identity Manager schema are themselves mapped in the schema through permissions groups. Permissions groups can be assigned to system users and application roles.
The user's effective permissions depend on the authentication module used for logging into One Identity Manager tools.
- The permissions assigned to the system user are found from the permissions groups for logging into One Identity Manager tools with an authentication module that expects a defined system user.
- Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions group to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.
The system user's effective permissions that are found are not saved in the One Identity Manager schema, but are determined when logging into One Identity Manager tools and then they are loaded.
Permissions groups are also used to control access to parts of the user interface, such as, menu items, forms, tasks and program functions. When a user logs into the One Identity Manager tools, menus, forms and methods are loaded depending on the system user's permissions groups, displaying a user interface customized for this system user.
The One Identity Manager provides permissions groups and system users with a predefined user interface and edit permissions to the One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Use predefined permissions groups and system users as templates for your own permissions groups and system users.
Detailed information about this topic
- Predefined Permissions Groups and System Users
- Editing Permissions Groups and System Users
- Editing Permissions for One Identity Manager Schema Tables and Columns
- Rules for Finding Valid Permissions for Tables and Columns
- Availability of Certain Functionality
- Displaying Permissions for an Object
- Displaying the Current User's Permissions
Related Topics
- Working with the User Interface
- One Identity Manager Authentication Module
-
For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.
Predefined Permissions Groups and System Users
One Identity Manager supplies system users and permissions groups with predefined user interfaces (menu items, forms, tasks, program functions) and special access permissions for One Identity Manager schema tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Use predefined permissions groups and system users as templates for your own permissions groups and system users.
|
|
NOTE: It is recommend that you set up your own system users and permissions groups whose user interface and access permissions are specially designed to meet the requirements of the administrative tasks. |
| Permissions Group | Description | ||
|---|---|---|---|
|
Permissions group "QBM_BaseRights" |
The permissions group "QBM_BaseRights" defines the basic permissions that are sufficient for logging a system user in to the administration tools. This permissions group is always assigned implicitly. | ||
|
Permissions group "VI_View" |
The permissions group "VI_View" owns viewing permissions to all table and columns of the One Identity Manager application data model.
| ||
| Permissions group "VI_Everyone" |
The permissions group "VI_everyone" is assigned user interface form elements, which uses links to the corresponding menu items. These permissions groups also provide functions for Web Portal users.
| ||
|
Permissions groups for the One Identity Manager application data model |
Permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functions which allows the application data to be edited with the Manager. | ||
|
Permissions groups for the One Identity Manager system data model |
These permissions groups have permissions for the One Identity Manager system data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functionality which allows the application data to be edited, for example, with Designer editors. The permissions group "vid" has all the edit permissions for configuring the system with the Designer. | ||
| Role-based permissions group "VI_4_ALLUSER" |
The role-based permissions group "VI_4_ALLUSER" provides basic permissions such as menu items, forms, methods and program functions in order to edit application data with the Manager and the Web Portal. This permissions group is always assigned implicitly. | ||
| Role-based permissions group "vi_4_ADMIN_LOOKUP" |
The permissions group "VI_4_ADMIN_LOOKUP" has viewing permissions for all tables and columns of the One Identity Manager application data model.
| ||
|
Role-based permissions groups |
Role-based permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functionality which allow the application data to be edited with the Manager and Web Portal. These permissions groups are linked to the One Identity Manager application roles and simplify administration of access permissions in the One Identity Manager role model. |
| System user | Description | ||
|---|---|---|---|
| Dynamic system user | Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions group to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login. | ||
| System User "sa" | The system user "sa" is exclusively user by One Identity Manager Service. This system user is not allocated a permissions groups but has all access permissions, tasks and program functionality. | ||
|
System User "viadmin" |
The system user "viadmin" is the default system user for the One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.
The system user "viadmin" has all the permissions predefined by and the entire user interface. The system user "viadmin" also implicitly has all the permissions and user interface components from custom permissions groups. The system user "viadmin" has permissions to set up an employee as One Identity Manager administrator for role-based login. The system user is not a member of the application role themselves. | ||
| System user "Synchronization" | The system user "Synchronization" has predefined permissions for setting up and running target system synchronization through an | ||
| System user "viHelpdesk" | The system user "viHelpdesk" has predefined permissions and the user interface required to access the One Manager help desk resources with the One Identity Manager. | ||
| System Account User "viITShop" | The system user "viITShop" has predefined permissions and the user interface required to access the Manager with the IT Shop. |
Related Topics
Editing Permissions Groups and System Users
In the One Identity Manager default installation certain permissions groups and system users already exist with predefined access permissions. Predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Set up your own permissions groups and system users such that the access permissions relate to the different administrative tasks required. You can enable permissions to be passed on from one permissions group to other permissions groups by structuring permissions groups hierarchically.
Permissions groups are managed in the Designer in the category Permissions | Permissions groups. Here you will find an overview of edit permissions and user interface components that are assigned to individual permissions groups. In addition, the system users are displayed, which the permissions groups are assigned.
System users are displayed in the category Permissions | System users in the Designer. You will see an overview of the permissions groups that are assigned to each individual system user.