Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Creating and Editing Events

Events are defined to assign processes to objects. Processes cannot be generated until a link has been created between object, event and process. The following predefined events are available. These are described in the following table.

Table 222: Predefined Events
Event Comment
Insert Event created when an object is created. Available for all objects.
Update Event created when an object is changed. Available for all objects.
Delete Event created when an object is deleted. Available for all objects.
Execute Event created by DBQueue Processor when the execution time is reached of a delayed operation.

Other events are provided by the Customizer. These events are described in the Customizer documentation. You can define other custom events to trigger processes.

In One Identity Manager, how events for stored processes are triggered is linked with the permissions concept. Users can only trigger events on objects like this if they own edit permissions for them. This can lead to table users, who only have viewing permissions, not being able to trigger additional events for processes.

In this case, it is possible, to define so called object events and connect them to a program function. An event, which is defined for a process, is linked with an object event. If the object event is assigned a program function, users that owns the program function, can trigger the associated object event and therefore the process, depending on their permissions.

To crate

  1. Open the process in the Process Editor.
  2. Click on the element for the process in the process document.
  3. Select the Events view and click .
  4. The table's object events are displayed in the Object event menu. Select an valid object event or create a new object event using the button.

To allow triggering a process through a program function

  1. Select the category Permissions | Program functions in the Designer.
  2. Select the menu item View | Select table relations... and enable the tables QBMEventHasFeature and DialogGroupHasFeature.

    The tabs Object events and Permissions groups are displayed in the edit view.

  3. Select the program function and assign an object event and permissions groups to it.

Related Topics

Creating and Editing Process Steps

A process consists of process steps, which represent processing tasks and are joined by predecessor/successor relations.

To add process steps within a process with the you can:

  • Create a new process step
  • Copy an existing process step and edit the copy
  • Import an existing process step into the process

To create a new process step

  1. Open the process in the Process Editor.
  2. Select Process step | New from the menu.

    This makes a new element for the process step and displays it in the Process Editor.

  3. Edit the process' master data.
  4. Link the process step with the process.

To edit an existing process step

  1. Open the process in the Process Editor.
  2. Click on the element for the process step in the process document.

    NOTE: To edit several process steps, hold down the CTRL key and click on the process steps.

    Input fields with different values are marked with in the process step edit view. The value in the input field is copied to selected process steps after the changes have been saved.

To copy a process step

  1. Select the process step to copy and use Copy in the context menu or CTRL + C to copy the process step to the clipboard,

    NOTE: To edit several process steps, hold down the CTRL key and click on the process steps.

  2. Insert the process step using Paste in the context menu or CTRL + V.

    The process step is given a new UID and all the process steps are copied.

  3. Edit the process step's master data

  4. Link the process step with the process.

To import a process step

  1. Open the process in the Process Editor.

  2. Select Process step| Import from the menu.
    Table 223: Meaning of the Icons in the Toolbar
    Icon Meaning
    Searches for a process step.
    Imports the process step.
    Specifies the search options.
  3. Enter a search string and use the search options to specify which objects should be searched for.

    The given objects are searched for internally by a WHERE clause. If several objects are found they are appended, internally, with a ’Join’ condition.

    Table 224: Searchable Objects and Properties
    Search in Objects Properties to be Searched
    Process Name
    Process step Name, description, generating condition, server selection script
    Parameter Name, value
    Process component Component class, component assembly
    Process task Name
    Parameter template Name, value template
  4. Start the search

    The process steps that are found are displayed in the result list.

  5. Select the process steps you want from the list and import them into the process document with in the toolbar or by double clicking in the process document.
  6. Edit the process step's master data
  7. Link the process step with the process.
Detailed information about this topic

Process Step Properties

Table 225: General Process Step Properties
Property Meaning
Name Name of the process step.
Process task

Process task to execute for the process component. When you select a process task you define which action is executed by the process step. The process task parameter templates are copied to the process step as parameters. This means that every process step that uses this process task can pass other parameter values. The original is not altered.

Description Additional description of a process step.
Priority The priority sets the precedence in the Job queue for adding and processing the process step. The value ranges from 1 to 15. The higher the value, the sooner the process step will be processed.
Process information

Specifies whether this step is logged. Logging depends on the setting of the configuration parameter "Common\ProcessState\ProgressView".

Table 226: Permitted Values

Value

Description

None

The process information is not logged.

Full process tracking

The process information is logged and displayed in the Manager.

Web Portal tracking

The process information is logged and displayed in the Manager and in the Web Portal.

Process information term

VB.Net expression for displaying the display name in the process view.

Depth of detail

Severity level for mapping process information.

Notification (success) Specifies whether notification is sent on success.
Notification (error) Specifies whether notification is sent on error.
Pre-script for generating

The pre-script is executed before other scripts are run. You can find global variables with a pre-script or define process specific variables that can then be used within the process, for example, in generating conditions, sever selection scripts or parameters.

Generating condition Define a condition in VB.Net syntax for the process step, which is used to decide whether the process step is generated. If a generating condition is given, the process step is only generated if the condition is fulfilled.
Preprocessor condition

You can specify a preprocessor condition for a process step for conditional compiling. A process step is, therefore, only available if the preprocessor condition is fulfilled.

Disabled by preprocessor If a process step is disabled by a preprocessor condition, the option is set by the Database Compiler.
Server function Specifies the server types for this process step. Specifies the permitted server types for this process step. The selection must lead to a unique result, for example SQL processing Server.
Script for server selection If it is not possible for the Job Generator to decide which server to use based on the server function, you can use a selection script in VB.net syntax for more a detailed evaluation.
Wait mode on error If a specific condition is not fulfilled at a particular point in the process step, One Identity Manager Service can repeat the process step. Setting this option results in the process step being re-run depending on latency and retries.
Latency (mins) Latency period in minutes. Number of minutes a process step, if it has failed, is deferred until the next retry.
Retries Number of retries.
Split processing Process steps that are only required for branching the process are labeled with this option. An example could be a process step that checks for the existence of a directory. The next process step to be processed is either the step on success or the step on error (without generating an error message) depending on the return value.
Ignore errors Specifies whether error are ignore during execution. In this case the following process step is still carried out despite the previous step not being correctly processed.
Stop on error

If an error occurs when a process step is executed, it remains in the Job queue and is given the status "Frozen". In this case, no more process steps are collected for processing and they remain in the Job queue. You can re-enable the process steps with "Frozen" status in the program "Job Queue Info".

If the configuration parameter "Common\MailNotification\NotifyAboutWaitingJobs" is set, an additional email is sent when processes are labeled with the status "Frozen" and a corresponding entry is made in the update server's event log. Prerequisites for using the notification system is an SMTP host set up for sending mail and activation of the configuration parameter for mail notification.

Log errors to journal

If this option is set, the error message from process handling is logged to the database journal. Error messages from process handling can be recorded in the process history.

Log mode

You can enable an extended logging mode for process step messages in Job Queue Info.

Use this logging mode to provide individual processing steps with continuous extended logging. Use the value "always" to log process step messages on success and failure. Use the value "error" to log process step messages only on failure.

Process History

Specifies whether process step notification is written to the process history.

Related Topics

Specifying the Execution Server

You specify which server should handle each process step. You can select the executing server using the server function or a selection script. Server selection should always end with a unique result. The selection script is evaluated first to determine the server. If a server cannot be determined in this way, the server function is analyzed. The first server that is found is used for executing the process step.

Selecting the Server with a Server Function

The most common server functions are predefined, for example, domain controller or SQL processing server. Enter a server function directly if you can determine the server uniquely.

NOTE: More server functions may be available depending on which modules are installed.
Table 227: Permitted Server Functions

Server Function

Remark

Update Server

This server executes automatic software updating of all other servers. The server requires a direct connection to the database server that the One Identity Manager database is installed on. The server can execute SQL tasks.

The server with the installed One Identity Manager database, is labeled with this functionality during initial installation of the schema.

SQL processing server

This server can process SQL tasks. Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.

One Identity Manager Service installed

Server on which a One Identity Manager Service is installed.

SMTP host

Server from which the One Identity Manager Service sends email notifications. Prerequisite for sending mails using the One Identity Manager Service is SMTP host configuration.

Default report server

Server on which reports are generated.

Selecting the Server with a Selection Script

If it is not possible to decide which server should be used based on the server function (for example, because several SMTP servers exist), you can use a server script for more a detailed evaluation.

To find the server with a selection script, use a VB.Net expression, which:

  • Returns a string with the Job server UID
  • Returns a string with data for a WHERE clause for database queries The selection must return a string, which begins with WHERE and contains a logical condition. The WHERE clause is applied to the table QBMServer.

Alternatively, you can enter the queue to be handled by the process step directly into the selection script. Each One Identity Manager Service within the network has a unique queue name. Only process steps that have this exact queue name are requested from the Job queue.

Syntax for direct Queue input:

DIRECT:<queue>

Example:

Value = "DIRECT:\Server01"

Related Topics
Related Documents