Example for Replacing the GenProcID
A hierarchical role structure exists which consists of 4 roles O1, O2, O3 and O4. Employee X is assigned to roles O1, O4 and O3. The assignment of applications to roles is depicted in the following:
Figure 47: Role Structure as in the Example Above
Three processes run between two DBQueue Processor runs, each with its own GenProcID:
- P1: Application A1 is assigned to the role O1
- P2: Application A2 is assigned to the role O1
- P3: Application A3 is assigned to the role O2
The following operations are in the DBQueue (table DialogDBQueue) and in the process information:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O1 | P1 |
| OrgHasApp | O1 | P2 |
| OrgHasApp | O2 | P3 |
The operation OrgHasApp cannot be subdivided with respect to O1 because the union of the applications is not yet computed. At this point, there is no more information available as to which GenProcID has been entered for which application by the assignment.
In order to achieve uniqueness for the combination of operation and object, a new GenProcID P4 is introduced and the two O1 operations are compacted into this GenProcID. P1 and P2 are noted in the table DialogProcessSubstitute as possible predecessors of P4 (but not clearly in the individual actions).
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O1 | P4 |
| OrgHasApp | O2 | P3 |
The following constellations can occur depending on whether the operation OrgHasApp is processed as single step or in bulk:
Case 1) O1 is calculated and then O2.
Case 2) O2 is calculated and then O1.
Case 3) O1 and O2 are calculated together in a bulk operation.
After these operations have been executed and assuming that they all cause changes to the total sets affected the following situation arises:
Case 1) O1 is calculated and then O2.
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O2 | P3 |
| OrgHasApp | O4 | P4 |
| OrgHasApp | O2 | P4 |
| OrgHasApp | O3 | P4 |
| PersonHasApp | X | P4 |
Before the next DBQueue Processor run the GenProcID’s must be compressed again, because the OrgHasApp operation did not produce a unique result for the object O2. P5 is introduced with possible predecessors P4 and P3.
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O2 | P5 |
| OrgHasApp | O4 | P4 |
| OrgHasApp | O3 | P4 |
| PersonHasApp | X | P4 |
Now the calculation is done for O2:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O3 | P5 |
| PersonHasApp | X | P5 |
| OrgHasApp | O4 | P4 |
| OrgHasApp | O3 | P4 |
| PersonHasApp | X | P4 |
Because O3 is not unique, P6 is introduced with possible predecessors P4 and P5.
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O3 | P6 |
| PersonHasApp | X | P5 |
| OrgHasApp | O4 | P4 |
| PersonHasApp | X | P4 |
After O3 and O4 have been calculated we have the following situation:
| Operation | Object | GenProcID |
|---|---|---|
| PersonHasApp | X | P6 |
| PersonHasApp | X | P5 |
| PersonHasApp | X | P4 |
There is no uniqueness for object X such that P7 is introduced with possible predecessors P4, P5 and P6.
Case 2) O2 is calculated and then O1.
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O1 | P4 |
| OrgHasApp | O2 | P3 |
After execution the following entries are in the DBQueue:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O1 | P4 |
| OrgHasApp | O3 | P3 |
The following situation is the result after the next step:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O3 | P3 |
| OrgHasApp | O4 | P4 |
| OrgHasApp | O2 | P4 |
| OrgHasApp | O3 | P4 |
| PersonHasApp | X | P4 |
To achieve uniqueness for O3 a process P5 with possible predecessors P3 and P4 is created:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O3 | P5 |
| OrgHasApp | O4 | P4 |
| OrgHasApp | O2 | P4 |
| PersonHasApp | X | P4 |
After calculating we have the following situation:
| Operation | Object | GenProcID |
|---|---|---|
| PersonHasApp | X | P5 |
| PersonHasApp | X | P4 |
There is no uniqueness for object X such that P6 is introduced with possible predecessors P4 and P5.
Case 3) O1 and O2 are calculated together in a bulk operation.
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O1 | P4 |
| OrgHasApp | O2 | P3 |
After the first step in the calculation the following entries are in the DBQueue:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O4 | P4 |
| OrgHasApp | O2 | P4 |
| OrgHasApp | O3 | P4 |
| OrgHasApp | O3 | P3 |
| PersonHasApp | X | P4 |
Uniqueness is achieved for O3 by introducing P5 with possible predecessors P3 and P4:
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O4 | P4 |
| OrgHasApp | O2 | P4 |
| OrgHasApp | O3 | P5 |
| PersonHasApp | X | P4 |
After the next step in the calculation, the following content is found
| Operation | Object | GenProcID |
|---|---|---|
| OrgHasApp | O3 | P4 |
| PersonHasApp | X | P4 |
| PersonHasApp | X | P5 |
After O3 has been reached in the next run and has not created a new PersonHasApp entry, only X exists with P4 and P5 because X already exists with P4.
| Operation | Object | GenProcID |
|---|---|---|
| PersonHasApp | X | P4 |
| PersonHasApp | X | P5 |
There is no uniqueness for object X such that P6 is introduced with possible predecessors P4 and P5.
Archiving and Deleting Recordings
All entries logged in One Identity Manager are initially saved in the One Identity Manager database. The proportion of historical data to total volume of a One Identity Manager database should not exceed 25%. Otherwise performance problems may arise. You must ensure that log entries are regularly removed from the One Identity Manager database and archived.
The following methods are provided for regularly removing data recorded from the One Identity Manager database:
- The data can be transferred directly form the One Identity Manager database into a One Identity Manager History Database. This is the default procedure for data archiving. Select this method if the servers on which the One Identity Manager database and the One Identity Manager History Database are located have network connectivity.
- The data can be exported in XML files. These can be loaded into the One Identity Manager History Database on a scheduled basis. Use this method if the One Identity Manager database and the One Identity Manager History Database are not in the same network segment. Alternatively you can load the XML files into another archiving system provided by the company.
- The data is deleted from the One Identity Manager database after a certain amount of time without being archived.
Figure 48: Transferring Records to the One Identity Manager History Database
All records in the One Identity Manager database that are triggered by an action are grouped together into a process group based on an ID number, the GenProcID for direct transfer to a History Database or for exporting to XML files. The exported process groups along with the associated records are delete from the One Identity Manager database once the export has been successfully completed.
The following conditions have to be met to facilitate direct transfer to a One Identity Manager History Database or to export XML files:
- The subsection of records is configured for export.
- The retention period for all records that belong to a process group has ended, not taking into account whether the section of record is labeled for export or not.
- There are no processes enabled with the process group GenProcID in the DBQueue, Job queue or as planned operations.
- There is at least one record in the subsection of records for the triggered action that should exported.
Both databases for archiving records in a One Identity Manager History Database - the One Identity Manager database and the One Identity Manager History Database - have to be configured.
Selecting a Method
Select the basic procedure by setting the configuration parameter "Common\ProcessState\ExportPolicy". If the configuration parameter is disabled, the data remains in the One Identity Manager database. If the configuration parameter is enabled, the selected procedure is applied.
| Value | Meaning |
|---|---|
| FILE | The data is exported to XML files after a specified time period has expired. |
| HDB | The files are transferred directly to the One Identity Manager History Database after a specified time period has expired. |
| NONE | The data is deleted in the One Identity Manager database after the specified time period has expired. |
After selecting the basic procedure, you can specify whether data is exported or deleted for each subsection of records individually. You use configuration parameters to make the choice for each subsection.
| Configuration parameter | Meaning |
|---|---|
| Common\ProcessState\PropertyLog\IsToExport | Exports the data changes. If this configuration parameter is not set the information is deleted once the retention period has expired. |
| Common\ProcessState\PropertyLog\LifeTime | This configuration parameter specifies the maximum retention period in the database for log entries from change tracking. |
| Configuration parameter | Meaning |
|---|---|
| Common\ProcessState\ProgressView\IsToExport | Exports the data in the process information. If this configuration parameter is not set the information is deleted once the retention period has expired. |
| Common\ProcessState\ProgressView\LifeTime | This configuration parameter specifies the maximum length of time that log data from process information can be kept in the database. |
| Configuration parameter | Meaning |
|---|---|
| Common\ProcessState\JobHistory\IsToExport | Exports the information in the process history. If this configuration parameter is not set the information is deleted once the retention period has expired. |
| Common\ProcessState\JobHistory\LifeTime | This configuration parameter specifies the maximum retention period in the database for log entries from process history. |
Specifying Data Retention Periods
Once the retention period has ended, the recorded data is either exported or deleted from the One Identity Manager database depending on which archiving method has been chosen. A longer retention period should be selected for subsections whose records will be exported than for those that will be deleted.
|
|
NOTE: If you do not specify a retention period, the records for this subsection will be deleted daily from the One Identity Manager database within the DBQueue Processor daily maintenance tasks. |
The recordings are not exported until the retention period for all subsections has expired and no other active processes for the process group (GenProcID) exist in the DBQueue, process history or as planned operation.
Example 1
Records are transferred directly to the One Identity Manager History Database. The following configurations are selected for each subsection:
| Configuration | Process Information | Process History | Data Changes |
|---|---|---|---|
| Export data | No | No | Yes |
| Retention period | 3 days | 4 days | 5 days |
This results in the following sequence:
| Time | Process Information | Process History | Data Changes |
|---|---|---|---|
| Day 3 | Data is deleted from the One Identity Manager database | No action | No action |
| Day 4 | - | Data is deleted from the One Identity Manager database | No action |
| Day 5 | - | - | Data is transferred to the One Identity Manager History Database and then deleted from the One Identity Manager database |
Example 2
Records are transferred directly to the One Identity Manager History Database. The following configurations are selected for each subsection:
| Configuration | Process Information | Process History | Data Changes |
|---|---|---|---|
| Export data | Yes | No | Yes |
| Retention period | 3 days | 4 days | 5 days |
This results in the following sequence:
| Time | Process Information | Process History | Data Changes |
|---|---|---|---|
| Day 3 | No action because the retention period has not ended for all subsections | No action | No action |
| Day 4 | No action because the retention period has not ended for all subsections | Data is deleted from the One Identity Manager database | No action |
| Day 5 | Data is exported and then deleted | - | Data is transferred to the One Identity Manager History Database and then deleted from the One Identity Manager database |