Chat now with support
Chat with Support

Identity Manager 8.0 - Data Archiving Administration Guide

Tips for Using More than One SQL Server

Tips for Using More than One SQL Server

NOTE: If the One Identity Manager History Database database and the One Identity Manager database are on different servers, only matching versions and patches of the operating system and database system are supported.

If the One Identity Manager and the One Identity Manager History Database database are on different database server, the following prerequisites for data acquisition must be guaranteed on both servers:

  • Start the service "Microsoft Distributed Transaction Coordinator" (DTC), "RPC Client" and "Security Account Manager"
  • For network communications between the server, check the Firewall settings and, if required, adjust them according to the recommendations of the operating system in use. For more information, refer to the operating system documentation.

Enable the following options in the DTC security settings:

  • Network DTC Access
  • Allow Remote Clients
  • Allow Inbound
  • Allow Outbound
  • No Authentication Required

Configure the security settings in the Microsoft Management Console with the Component Services snap-in.

Figure 1: Configuring DTC Security Settings

The timeout for remote queries should be increased on the database server containing the One Identity Manager database if large amounts of data are transferred from the One Identity Manager database to the One Identity Manager History Database. The default setting is 600 seconds, which corresponds to 10 minutes latency. If the timeout expires, data transfer is aborted. The timeout for remote queries should be orientated on the runtime interval of the data transfer schedule.

You can query the timeout with the following statement:

select * from sys.configurations where name like '%remote query timeout%'

To change the timeout for remote queries, use the following statement:

exec sp_configure 'remote query timeout (s)',<new value>

RECONFIGURE WITH OVERRIDE

where:

<new value> = new timeout value in seconds

Database Users under SQL Server

Database Users under SQL Server

NOTE: Select "English" as default language.

Database user permissions can be divided into two user types:

  • End user

    End users that only work with the Web Portal, for example, only have to be members of the database role "basegroup".

  • Administrative user

    Administrative users require the permissions listed in below. Here, you can differentiate between permissions for installation and permissions for normal operations.

To use One Identity Manager History Database functions to the full, you require the following permissions.

Table 1: Permissions for Database Users under SQL Server
Permission For Database Required for Installation Required to Operate Required For

Server role "dbcreator"*

 

x

-

Creating the database.

Server role "processadmin"

 

-

x

Activities for testing and closing the connection is required.

Database role "db_owner"

One Identity Manager History Database

x

x

Creating the database Database operations.

Database role "basegroup"**

One Identity Manager History Database

-

x

Internal permissions roles for database objects.

Permissions "Execute"

Master

x

x

Starting the SQL server agent.

Database role "SQLAgentUserRole"

msdb

-

x

Running database schedules.

Database role "db_Datareader"

msdb

-

x

Reading and changing database schedules.

Database role "SQLAgentOperatorRole"

msdb

x

x

Defining database schedules.

Permissions "Connect"

tempdb

x

x

Checks for single-user mode requirement during start up.

*) The permissions are only required if the database is created using the Configuration Wizard.

**) The database role "basegroup" is added during initial schema installation of the One Identity Manager History Database by default.

NOTE: If the user account for the database user is changed after migration the new database user must be entered as the owner of the database schedule afterwards. Otherwise errors occur when running the database schedules.

Additional Permissions for Data Transfer

If the One Identity Manager History Database and the One Identity Manager database are on one database server the data transfer is carried out with the database user that the One Identity Manager History Database runs under. This database user requires additional access to the One Identity Manager database.

  • Database role "db_owner" for the One Identity Manager database

If the One Identity Manager History Database and the One Identity Manager database are on different database servers a connection is made to the One Identity Manager database with the database user that the One Identity Manager History Database runs under. The following permissions are also required:

  • Server permissions "ALTER ANY LINKED SERVER"

    Creating and deleting a linked server. The linked server allows distributed queries to be executed.

  • Server permissions "ALTER ANY LOGIN"

    Creating and deleting login name assignments on the local server and a login name on the connection server.

  • Server roles "setupadmin" and "sysadmin"

    Establishing and deleting a connection between database servers.

The subsequent data transfer takes place with a database user that has access to the One Identity Manager database. The following permissions are required:

  • Database role "db_owner" for the One Identity Manager database
Tips for Using Integrated Windows Authentication

Integrated One Identity Manager Service authentication can be used for the Windows and web applications without restriction. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up an SQL Server login for the user account on the database server.
  • Enter "dbo" as default schema.
  • Assign the required permissions SQL server login. For more information, see Table 1.

Tips for Using Integrated Windows Authentication

Tips for Using Integrated Windows Authentication

If you use Windows integrated authentication the data transfer takes place with the One Identity Manager History Service user account.

  • Set up an SQL Server login for the user account on the database server. If the One Identity Manager History Database and the One Identity Manager database are on different servers, set up the SQL Server login on both database servers.
  • Assign the required permissions for data transfer to the SQL server login. For more information, see Database Users under SQL Server.

If the One Identity Manager History Database, One Identity Manager History Service and the One Identity Manager database are on different server the following prerequisites have to be fulfilled:

  • The One Identity Manager History Service user account requires a Service Principal Name (SPN) for authentication. This can be created with the following command line:

    SetSPN -A HTTP/<Full domain name> <Domain>\<user account>

  • The One Identity Manager History Service user account must be available for delegation and use Kerberos for authentication.

    Set the option Trust this user for delegation to any service (Kerberos only) on the Delegate tab for Active Directory users and computers in the Microsoft Management Console.

  • The SQL Server service requires a Service Principal Name for authentication. You can check this with the following command line call:

    SetSPN -L <name of database>

Tips for Using More than One Oracle Server

If the One Identity Manager database and the One Identity Manager History Database database are on different servers, only matching versions and patches of the operating system and database system are supported.

Related Documents