Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Properties of Process Components, Process Tasks and Parameter Templates

Table 245: Process Component Properties
Property Meaning
Display name Name of component for displaying.
Component class Component class.
Assembly name Name of the component.
Description Description of component functionality.

Remarks

Additional remarks about the process component.
Max. instances

This value specifies the maximum number of instances in which this process component is allowed to run in a queue in the Job server.

Permitted values:

  • -1: All instances of this process component are processed sequentially.

    It must be ensured that these components are run exclusively on one Job server, which means no other queue can exist to process these components.

  • 0: All instances of this process component can be process at the same time.
  • 1 or -1: Exact number of instances of a process component, which can be processed at the same time.

NOTE: The value is only used if the maximum number of instances of a process function is set to "0". Otherwise, the value applies that is set for the process task.

Configuration Definition of possible additional options for the component in XML syntax.
Table 246: Process Task Properties
Property Meaning
Name Name of the process task.
Operating system class Specifies the operating system on which the process task can be run. Permitted values are "Win32", "Linux" and "ALL" where the value "ALL" specifies that this process function can be run on any operating system.
Execution type

The execution type specifies whether the process components for the process task should be executed in by One Identity Manager Service (internal) or in its own process (external).

Description Description of the process task.
Max. instances

This value specifies the maximum number of instances that can be run by One Identity Manager Service in parallel per process task.

Permitted values:

  • -1: All instances of this process task are processed sequentially.
  • 0: The maximum number of instances given for the process component is used.
  • 1 or -1: Exact number of instances of a process task, which can be processed at the same time.
Last step in the partial process tree Specifies whether a process task is principally marks the end of a partial process tree.
Component Process component to which the process function belongs.

Direct database connection required

Specifies whether a process task requires a direct database connection.

Exclusive per object

Specifies whether execution of the process task is done exclusively per object. If this option is set, only one specific object is ever executed for a process step with this process function. There is no parallel processing.

Table 247: Parameter Template Properties
Property Meaning
Name Name of the parameter.
Value template Default template for finding values. When a parameter is added to a process step, the value template is taken from the parameter template. Define value templates in VB.Net syntax.
Value template (example) Example of the value template.
Description Description of the parameter.
Type

The values IN, OUT and INOUT are permitted.

Parameters of type OUT and INOUT are parameters which a process component can use to output a value. This value is then available to subsequent process steps in the process and can be used as a value for IN parameters.

Optional Labels parameter as a mandatory or optional parameter.
Hidden

This option specifies whether the parameter is shown in the One Identity Manager Service log file and in the program "Job Queue Info". Values for hidden parameters are shown as <HIDDEN>. Only "viadmin" system users have access permission to see these parameters in Job Queue Info.

Encrypted This option specifies whether the parameter is encrypted when it is passed.
Contains encrypted components Specifies whether encrypted sequences are contained in this value.
Process task Process task to which the parameter belongs.

Tracking Changes with Process Monitoring

With the One Identity Manager it is possible to create a change history for objects and their properties.This can be used to fulfil reporting duties for internal committees and legal obligations for providing documentary evidence. Different methods can be used to track changes within the One Identity Manager. With this combination of methods, all changes that are made in the One Identity Manager system can be traced.

  • Recording changes to data

    Data changes can be recorded for add or delete operations on objects and up to and including changes to individual object properties.

  • Recording process information

    Recording process information allows all processes and process steps to be tracked while being processed by One Identity Manager Service.

  • Recording Messages in the Process History

    In the process history, success and error messages from handling each process step in the Job queues are recorded by the One Identity Manager Service.

All entries logged in One Identity Manager are initially saved in the One Identity Manager database. The proportion of historical data to total volume of a One Identity Manager database should not exceed 25%. Otherwise performance problems may arise. You must ensure that log entries are regularly removed from the One Identity Manager database and archived. For more information about archiving data, see the One Identity Manager Data Archiving Administration Guide.

Detailed information about this topic

Basics for Process Monitoring

Table 248: Configuration Parameters for Process Monitoring
Configuration parameter Effect
Common\ProcessState Process monitoring can be configured if the configuration parameter is set. The data is displayed in the Manager process view.

To use process monitoring in One Identity Manager.

  • Set the configuration parameter "Common\ProcessState".
  • You can control the extent of the logging using the configuration settings for each method.

The methods implemented by the One Identity Manager allows all modifications to the system that are triggered by a user action to be monitored. Each action in One Identity Manager is labeled with a unique ID number. This ID number is called a GenProcID. All changes that can be traced back to the same cause are given the same GenProcID and are grouped in this way. If a previously stored action does not pass a GenProcID to the current action, a new ID is automatically created.

If an action is triggered from the One Identity Manager’s object layer the GenProcID is written to the context data of the database connection. The logged in user is also noted in the context data and is made available in this way.

A new GenProcID is generated by the trigger if an action takes place directly in the database or through an application that works without the One Identity Manager object layer. This GenProcID is valid for the duration of the database connect, which means that all changes belong to the same action and link to the same GenProcID. The user data is made up of the database user’s name, the MAC address and the workstation name as well as the application name.

All actions (process triggers) that cause changes to the system, and their actual status information are logged internally in the status table DialogProcess. Logging takes place independent of the chosen change history method. This log writing therefore provides a starting point for monitoring and allows the changes based on one action to be grouped together.

The following information is recorded for one action:

  • ID number (GenprocID)
  • Display name for the action
  • Base object that the action is triggered for
  • User that triggered the action
  • Time of action
  • Object key for selecting the process trigger
  • Comment on the action
  • Current process status

NOTE: The information is displayed in the Manager’s process view. For more information, see the One Identity Manager User Guide for One Identity Manager Tools User Interface and Default Functions.

Detailed information about this topic

Logging Data Changes

Table 249: Configuration Parameter for Logging Data Changes
Configuration parameter Effect
Common\ProcessState Process monitoring can be configured if the configuration parameter is set. The data is displayed in the Manager process view.
Common\ProcessState\PropertyLog When this configuration parameter is set, changes to individual values are logged and shown in the process view.

Common\ProcessState\PropertyLog\
AllDefaultPropertiesForModel

If this configuration parameter is set, the most important columns of the One Identity Manager schema to monitor are labeled for logging.

Common\ProcessState\PropertyLog\
AutoTrackAlternatePK
If the configuration parameter is set, properties are logged even if parts of an alternative key change. This only applies for tables that are transportable and where at least one property is labeled for logging. This configuration parameter only affects system components.
Common\ProcessState\PropertyLog\
AutoTrackAlternatePK\PayLoad
If the configuration parameter is set, properties are still logged even if parts of an alternative key change. This only applies for tables that are transportable and where at least one property is labeled for logging. This configuration parameter only has an effect on user components.

Add, change and delete operations can be recorded for objects. The trigger GenProcID is passed as well, so that the changes to one object can be grouped together.

NOTE: Displaying an object's change history is done in the Manager process view. For more information, see theOne Identity Manager User Guide for One Identity Manager Tools User Interface and Default Functions.

The following prerequisites are required to log data changes:

  • Set the configuration parameter "Common\ProcessState" in the Designer.
  • Set the configuration parameter "Common\ProcessState\PropertyLog" in the Designer.
  • Label columns for which changes will be logged.
  • Label columns to be logged when an object is deleted.

TIP: If the configuration parameter "Common\ProcessState\PropertyLog\AllDefaultPropertiesForModel" is set, One Identity Manager schema columns labeled for logging changes and deletions. Define which columns are affected in the table QBMVDefaultHistoryColumns.

To log a column

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the column and select the tab More.
    • To log changes to data in the column, set the option Log changes.
    • To log the deleting data in the column, set the option Log changes when deleting.

The data changes are stored in the tables DialogWatchOperation and DialogWatchProperty. An entry is also created in the status table DialogProcess for the triggering action.

The following information is collected for these operations:

  • Adding an object

    When a new object is added, the object key, object display name, date of insertion and user are logged.

  • Changing an object

    When a column is changed the old value, change date and user are logged. Changes to properties that belong to the alternative foreign key are recorded depending on the configuration parameters "Common\ProcessState\PropertyLog\AutoTrackAlternatePK" and "Common\ProcessState\PropertyLog\AutoTrackAlternatePK\PayLoad".

  • Deleting an object

    When an object is deleted, the columns to be logged an all primary key columns are logged. The value, deletion date and user are logged.

Related Topics
Related Documents