Chat now with support
Chat with Support

Identity Manager 8.1.2 - Data Archiving Administration Guide

Change management

Initially, all changes made to data in the One Identity Manager are saved in the One Identity Manager database. One Identity Manager historical data is transferred at regular intervals into a One Identity Manager History Database. Therefore, the One Identity Manager History Database provides an archive of change information. Statistical analyzes are carried out in the One Identity Manager History Database that simplify how trends and flows are presented. Historical data is evaluated using the TimeTrace function or using reports.

Implementing a One Identity Manager History Database

When you implement the History Database, you should consider the effects it will have on performance. It might be necessary to create more One Identity Managers at certain intervals (for example, yearly, quarterly or monthly) depending on the amount of data in the One Identity Manager History Database database, the data to be logged and how often changes are made.

The following steps are required for setting up a working environment for the One Identity Manager History Database:

  • Setting up an Administrative Workstation
  • Creating and migrating the One Identity Manager History Database
  • Installing and configuring the One Identity Manager Service for the One Identity Manager History Database
  • Declaring the Source Database
  • Archiving procedure setup
Detailed information about this topic

Permissions for the One Identity Manager History Database on a SQL Server

The following users are identified for using a One Identity Manager History Database on a SQL Server with the granular permissions concept. User permissions at server and database level are matched to their tasks.

NOTE: If you want to switch to granular permissions when you update from 8.1.x at a later date, contact support. To access the Support Portal, go to https://support.oneidentity.com/identity-manager/.

  • Installation user

    The installation user is needed for the initial installation of a One Identity Manager History Database using the Configuration Wizard.

    NOTE: If you want to change to the granular permissions concept when you upgrade from version 7.0.x, 7.1.x, or 8.0.x to 8.1.2, you will also require an installation user.

  • Administrative user

    The administrative user is used by One Identity Manager components that require permissions at server and database level, including for example the Configuration Wizard, DBQueue Processor, or the One Identity Manager Service.

  • Configuration user

    The configuration user can execute configuration tasks within One Identity Manager, for example, working with the Designer. Configuration users need permissions at the server and database levels.

  • End user

    End users are only assigned permissions at database level in order, for example, to complete tasks with the HistoryDB Manager.

Permissions for installation users

A SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of the sysadmin server role

    This server role is only required if the database is created by the Configuration Wizard and the directories for the file must be selected in the file browser. If the files are stored in the default database server directories, permissions are not necessary.

  • Member of securityadmin server role

    This server role is required to create SQL Server logins.

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

  • alter any server role permissions

    The permissions are required to create the server role for the administrative user.

msdb database:

  • Select permissions with the with grant option option for the dbo.sysjobs, dbo.sysjobschedules, dbo.sysjobactivity, and dbo.sysschedules tables

    The permissions are required to execute and monitor database schedules.

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Member of the SQLAgentUserRole database role

    This database role is required for managing database schedules during an update from version 7.0.x, 7.1.x, or 8.0.x to version 8.1.2.

master database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Execute permissions with the with grant option option for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

One Identity Manager History Database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database or a schema update is performed when installing the schema with the Configuration Wizard.

Permissions for administrative users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permissions

      The permissions are required to create the server role for the configuration user.

    • view any definition permissions

      The permissions are required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

      The permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to execute database schedules.

    • Select permissions for the dbo.sysjobs, dbo.sysjobschedules, dbo.sysjobactivity, and dbo.sysschedules tables

      The permissions are required to execute and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Execute permissions for the xp_readerrorlog procedure

      The permissions are required to find out information about the database server's system status.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager History Database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Permissions for configuration users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • view server state and alter any connection permissions

      The permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager History Database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Execute, and Create function permissions for the database
  • Config database user

    • Member of the OneIMConfigRoleDB database role
    • The database user is connected with the <DatabaseName>_ConfigSQL Server login.
Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager History Database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, and Delete permissions for selected tables in the database
    • View Definition permissions for the database
    • Execute and References permissions for individual functions, procedures, and types
  • User database user

    • Member of the OneIMUserRoleDB database role
    • The database user is connected with the <DatabaseName>_User SQL Server login.
Tips for using integrated Windows authentication

Integrated Windows authentication can be used without restriction for the One Identity Manager Service and the web applications. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up a SQL Server login for the user account on the database server.
  • Enter dbo as the default schema.
  • Assign the required permissions SQL server login.

One Identity Manager History Database permissions in a managed instance Azure SQL Database

The following users are identified for using a One Identity Manager History Database in a managed instance in the Azure SQL Database with the granular permissions concept. User permissions at server and database level are matched to their tasks.

  • Installation user

    The installation user is needed for the initial installation of a One Identity Manager History Database using the Configuration Wizard.

  • Administrative user

    The administrative user is used by One Identity Manager components that require permissions at server and database level, including for example the Configuration Wizard, DBQueue Processor, or the One Identity Manager Service.

  • Configuration user

    The configuration user can execute configuration tasks within One Identity Manager, for example, working with the Designer. Configuration users need permissions at the server and database levels.

  • End user

    End users are only assigned permissions at database level in order, for example, to complete tasks with the HistoryDB Manager.

Permissions for installation users

A SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of securityadmin server role

    This server role is required to create SQL Server logins.

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

  • alter any server role permissions

    The permissions are required to create the server role for the administrative user.

msdb database:

  • Select permissions with the with grant option option for the dbo.sysjobs, sysjobsteps, dbo.sysjobschedules, dbo.sysjobactivity, and dbo.sysschedules tables

    The permissions are required to execute and monitor database schedules.

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Execute permissions with the with grant option option for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

  • Execute permissions with the option with grant option for the xp_sqlagent_is_starting, xp_sqlagent_notify, and xp_sqlagent_enum_jobs procedures

    The permissions are required to execute and monitor database schedules.

One Identity Manager History Database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database or a schema update is performed when installing the schema with the Configuration Wizard.

Permissions for administrative users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permissions

      The permissions are required to create the server role for the configuration user.

    • view any definition permissions

      The permissions are required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

      The permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to execute database schedules.

    • Select permissions for the dbo.sysjobs,sysjobsteps, dbo.sysjobschedules, dbo.sysjobactivity, and dbo.sysschedules tables

      The permissions are required to execute and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Execute permissions for the xp_readerrorlog procedure

      The permissions are required to find out information about the database server's system status.

    • Execute permissions for the xp_sqlagent_is_starting, xp_sqlagent_notify, and xp_sqlagent_enum_jobs procedures

      The permissions are required to execute and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager History Database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Permissions for configuration users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • view server state and alter any connection permissions

      The permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager History Database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Execute, and Create function permissions for the database
  • Config database user

    • Member of the OneIMConfigRoleDB database role
    • The database user is connected with the <DatabaseName>_ConfigSQL Server login.
Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager History Database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, and Delete permissions for selected tables in the database
    • View Definition permissions for the database
    • Execute and References permissions for individual functions, procedures, and types
  • User database user

    • Member of the OneIMUserRoleDB database role
    • The database user is connected with the <DatabaseName>_User SQL Server login.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents