The One Identity Manager Installation Guide describes the installation and initial operation of One Identity Manager. It provides an overview of the architecture of One Identity Manager and the functions of the various One Identity Manager tools. It also provides information about the prerequisites you will need before installation of One Identity Manager, and how to set up, install, and update the components of One Identity Manager.
This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.
NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.
You can access One Identity Manager documentation in the Manager and in the Designer by selecting the Help | Search menu item. The online version of One Identity Manager documentation is available in the Support portal under Technical Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.
One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions while the IT team focuses on their core competencies.
With this product, you can:
- Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition
- Simplify access decisions for restructuring data with the One Identity Manager Data Governance Edition
- Realize Access Governance demands cross-platform within your entire company with One Identity Manager
Every one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.
Starling Cloud Join
Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.
One Identity Manager is available in the following editions.
Table 1: One Identity Manager editions
One Identity Manager
This edition contains all management modules (IT Shop & workflow, delegation, management of system roles and business roles, role mining, risk assessment, attestation, compliance, company policies, report subscriptions), as well as Unified Namespace and connectors for Active Directory.
One Identity Manager Active Directory Edition
This edition contains all the functionality required for Active Directory support including connectors for Active Directory, attestation, IT Shop and workflows, and report functions.
One Identity Manager Data Governance Edition
This edition contains the features required for data governance support including the connectors for Active Directory and SharePoint, risk assessment, attestation, compliance, company policies, delegation, report subscriptions, and the Data Governance service.
Figure 1: Overview of One Identity Manager components
One Identity Manager consists of the following components:
The database represents the core of One Identity Manager. It fulfills the main tasks, which are managing data and calculating inheritance. Object properties can be inherited along the hierarchical structures, such as departments, cost centers, location, or business roles. For data management, the database maps managed target systems and ERP structures as well as compliance rules and access permissions.
The database is separated into two logical parts; payload and metadata. The payload contains all the information required to maintaining data, such as information about employees, user accounts, groups, memberships, operating data, approval workflows, attestation, recertification, and compliance rules.
The metadata contains the description of the application data model and scripts for formatting roles and templates or conditional interactions. One Identity Manager’s entire system configuration, all the front-end control settings, and the queues for asynchronous processing of data and processes are also part of the metadata.
Recalculation of inheritance is started by the database trigger logic. For this purpose, the triggers place processing tasks in a task list known as the DBQueue. The DBQueue Processor processes these tasks and recalculates inheritance of the respective database objects. A table labeled "JobQueue" is used to store processing orders that are to be executed by the object layer.
A SQL Server or a managed instance in Azure SQL Database is used as the database system.
One Identity Manager uses processes for mapping business processes. A process consists of process steps that represent processing tasks and are joined by predecessor/successor relations. This functionality allows flexibility when linking actions and sequences to object events. Processes are modeled using process templates. A process generator (Jobgenerator) is responsible for converting script templates in processes and process steps into a concrete process in the Job queue.
The One Identity Manager Service enables the distribution of the information administrated in the One Identity Manager database throughout the network. The One Identity Manager Service performs data synchronization between the database and any connected target systems and executes actions at the database and file levels. The One Identity Manager Service retrieves process steps from the Job queue. Process steps are executed by process components. The One Identity Manager Service also creates an instance of the required process component and transfers the process step parameters. Decision logic monitors the execution of the process steps and determines how processing should continue depending on the results of the executed process components. The One Identity Manager Service enables parallel processing of process steps because it can create several instances of process components.
The One Identity Manager Service is the only One Identity Manager component authorized to make changes in the target system.
Clients connect to an application server storing business logic. The application server provides a connection pool for accessing the database and ensures a secure connection to the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved.
Clients can alternatively work without external application servers by retaining the object layer themselves and accessing the database layer directly. In this case, only the part of the object layer that is required for the acquisition process is mapped in the clients.
To implement browser-based user interfaces, there is an application running on a web server that is based on a website render engine. Users use a web browser to access the website that has been dynamically set up and customized for them. Data exchange between database and web server can take place either directly or through the application server.
There are different front-ends for different tasks. For example, a different front-end is used to configure One Identity Manager than that for managing employee data. The contents to be displayed and the extent to which it can be altered is determined in conjunction with the access rights of the respective user through the object layer. Available front-end solutions are both client and browser-based.
Figure 2: Overview of One Identity Manager components without application servers