Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Supporting File Groups

One Identity Manager supports file groups to group tables together to help with administration, data assigning and data distribution. One Identity Manager differentiates between logical storage and physical storage.

In the default installation, logical disk stores are predefined for the table in each module of the One Identity Manager and the system tables. You cannot change the assignments. You can create your own logical disk storage for grouping custom tables.

To define logical storage for custom tables

  1. Select the category One Identity Manager Schema | Logical disk stores in the Designer.
  2. Select Object | New in the menu.
  3. Enter a name and description for the logical storage.
  4. Assign custom tables to the logical disk store.
  5. Select the menu item View | Select table relations... and enable the table DialogTable. This shows the tab Tables for assigning tables.

You can link logical storage with physical storage - the file groups - in the One Identity Manager schema. If file groups are created on different data medium, you can use parallel accessing to enhance the performance of tables with high change rates. An example of this is tables for processing DBQueue Processor tasks or table for process handling.

NOTE: You cannot move the following groups into other file groups, otherwise proper functioning of the One Identity Manager database cannot be guaranteed.

  • DialogColumn
  • DialogTable
  • DialogValidDynamicRef
  • QBMDBQueueTask
  • QBMDBQueueTaskDepend
  • QBMModuleDef
  • QBMModuleDepend
  • QBMRelation
  • QBMViewAddOn
  • QBMDiskStoreLogical
  • QBMDiskStorePhysical

One Identity Manager supports distribution of table to file groups using a set of database procedures, which you an run in the database using a suitable query tool.

WARNING: Only carry out the following steps for implementing file groups, together with an experienced database administrator.

Ensure that the database cannot be access while file groups are being set up, for example, by the Job server, application server, web server, user interfaces, Web Portal. After reactivating the DBQueue Processor, wait until all DBQueue tasks have been processed before you allow new database connections.

To distribute tables to file groups under SQL Server

  1. Create your file groups. For detailed information about this, see the documents for your currently installed version of SQL Server.
  2. Synchronize the file groups in the One Identity Manager database. Run the following query in the database using a suitable query tool.

    exec QBM_PDiskStorePhysicalSync

  3. Assign physical storage to logical storage in the Designer.
    1. Select the category One Identity Manager Schema | Logical disk stores in the Designer.
    2. Select the logical disk store and select the file groups under Physical disk store.
    3. Save the changes to the database using Database | Commit to database....

  4. Disable processing of DBQueue Processor tasks and process handling. Run the following query in the database using a suitable query tool.

    exec QBM_PWatchDogPrepare 1

    exec QBM_PDBQueuePrepare 1

  5. Move the tables into the configured file groups. Run the following query in the database using a suitable query tool.

    exec QBM_PTableMove

  6. Reactivate the DBQueue Processor. Run the following query in the database using a suitable query tool.

    exec QBM_PDBQueuePrepare 0,1

    exec QBM_PWatchDogPrepare

To distribute tables to tablespaces under Oracle Database

  1. Create your tablespaces and make them available for use by One Identity Manager database users. For detailed information about this, see the documents for your currently installed version of Oracle Database.
  2. Synchronize the tablespaces in the One Identity Manager database. Run the following query in the database using a suitable query tool.

    begin QBM_GCommon2.PDiskStorePhysicalSync(); end;

  3. Assign physical storage to logical storage in the Designer.
    1. Select the category One Identity Manager Schema | Logical disk stores in the Designer.
    2. Select the logical disk store and select the tablespace under Physical disk store.
    3. Save the changes to the database using Database | Commit to database....

  4. Disable processing of DBQueue Processor tasks and process handling. Run the following query in the database using a suitable query tool.

    begin QBM_GWatchDog.PPrepare(1); end;

    begin QBM_GDBQueue.PDBQueuePrepare(1); end;

  5. Move the tables (including LOBs ad indexes) to the configured tablespaces. Run the following query in the database using a suitable query tool.

    begin QBM_GCommon2.PTableMove(); end;

  6. Reactivate the DBQueue Processor. Run the following query in the database using a suitable query tool.

    begin QBM_GDBQueue.PDBQueuePrepare(0); end;

    begin QBM_GWatchDog.PPrepare(0); end;

Granting One Identity Manager Schema Permissions

Granting One Identity Manager Schema Permissions

Permissions for accessing tables and columns of the One Identity Manager schema are themselves mapped in the schema through permissions groups. Permissions groups can be assigned to system users and application roles.

The user's effective permissions depend on the authentication module used for logging into One Identity Manager tools.

  • The permissions assigned to the system user are found from the permissions groups for logging into One Identity Manager tools with an authentication module that expects a defined system user.
  • Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions group to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

The system user's effective permissions that are found are not saved in the One Identity Manager schema, but are determined when logging into One Identity Manager tools and then they are loaded.

Permissions groups are also used to control access to parts of the user interface, such as, menu items, forms, tasks and program functions. When a user logs into the One Identity Manager tools, menus, forms and methods are loaded depending on the system user's permissions groups, displaying a user interface customized for this system user.

The One Identity Manager provides permissions groups and system users with a predefined user interface and edit permissions to the One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Use predefined permissions groups and system users as templates for your own permissions groups and system users.

Detailed information about this topic
Related Topics

Predefined Permissions Groups and System Users

One Identity Manager supplies system users and permissions groups with predefined user interfaces (menu items, forms, tasks, program functions) and special access permissions for One Identity Manager schema tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Use predefined permissions groups and system users as templates for your own permissions groups and system users.

NOTE: It is recommend that you set up your own system users and permissions groups whose user interface and access permissions are specially designed to meet the requirements of the administrative tasks.

Table 109: Predefined Permissions Groups
Permissions Group Description

Permissions group "QBM_BaseRights"

The permissions group "QBM_BaseRights" defines the basic permissions that are sufficient for logging a system user in to the administration tools. This permissions group is always assigned implicitly.

Permissions group "VI_View"

The permissions group "VI_View" owns viewing permissions to all table and columns of the One Identity Manager application data model.

NOTE: Assign viewing permissions of custom schema extensions to the permissions group. Assign viewing permissions of the module's own tables and columns to the permissions group.
Permissions group "VI_Everyone"

The permissions group "VI_everyone" is assigned user interface form elements, which uses links to the corresponding menu items. These permissions groups also provide functions for Web Portal users.

NOTE: Assign the permissions group to your custom system users such that the overview form is fully displayed to the users.

Permissions groups for the One Identity Manager application data model

Permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functions which allows the application data to be edited with the Manager.

Permissions groups for the One Identity Manager system data model

These permissions groups have permissions for the One Identity Manager system data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functionality which allows the application data to be edited, for example, with Designer editors.

The permissions group "vid" has all the edit permissions for configuring the system with the Designer.

Role-based permissions group "VI_4_ALLUSER"

The role-based permissions group "VI_4_ALLUSER" provides basic permissions such as menu items, forms, methods and program functions in order to edit application data with the Manager and the Web Portal. This permissions group is always assigned implicitly.

Role-based permissions group "vi_4_ADMIN_LOOKUP"

The permissions group "VI_4_ADMIN_LOOKUP" has viewing permissions for all tables and columns of the One Identity Manager application data model.

NOTE: Assign viewing permissions of custom schema extensions to the permissions group. Assign viewing permissions of the module's own tables and columns to the permissions group.

Role-based permissions groups

Role-based permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks and program functionality which allow the application data to be edited with the Manager and Web Portal. These permissions groups are linked to the One Identity Manager application roles and simplify administration of access permissions in the One Identity Manager role model.

Table 110: Predefined system users
System user Description
Dynamic system user Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions group to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.
System User "sa" The system user "sa" is exclusively user by One Identity Manager Service. This system user is not allocated a permissions groups but has all access permissions, tasks and program functionality.

System User "viadmin"

The system user "viadmin" is the default system user for the One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.

IMPORTANT: The system user "viadmin" is not for use in a live environment! Set up your own system users with the appropriate permissions.

The system user "viadmin" has all the permissions predefined by and the entire user interface. The system user "viadmin" also implicitly has all the permissions and user interface components from custom permissions groups.

The system user "viadmin" has permissions to set up an employee as One Identity Manager administrator for role-based login. The system user is not a member of the application role themselves.

System user "Synchronization" The system user "Synchronization" has predefined permissions for setting up and running target system synchronization through an
System user "viHelpdesk" The system user "viHelpdesk" has predefined permissions and the user interface required to access the One Manager help desk resources with the One Identity Manager.
System Account User "viITShop" The system user "viITShop" has predefined permissions and the user interface required to access the Manager with the IT Shop.
Related Topics

Editing Permissions Groups and System Users

In the One Identity Manager default installation certain permissions groups and system users already exist with predefined access permissions. Predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties. Set up your own permissions groups and system users such that the access permissions relate to the different administrative tasks required. You can enable permissions to be passed on from one permissions group to other permissions groups by structuring permissions groups hierarchically.

Permissions groups are managed in the Designer in the category Permissions | Permissions groups. Here you will find an overview of edit permissions and user interface components that are assigned to individual permissions groups. In addition, the system users are displayed, which the permissions groups are assigned.

System users are displayed in the category Permissions | System users in the Designer. You will see an overview of the permissions groups that are assigned to each individual system user.

Related Topics
Related Documents