Basic rules for process monitoring
To use process monitoring in One Identity Manager.
-
In Designer, check whether the configuration parameter Common | ProcessState is enabled. If not, set the configuration parameter.
If the configuration parameter is set, you can configure process monitoring. In addition, the process view is enabled in Manager.
- You can control the extent of the logging using the configuration settings for each method.
The methods implemented by the One Identity Manager allows all modifications to the system that are triggered by a user action to be monitored. Each action in One Identity Manager is labeled with a unique ID number. This ID number is called a GenProcID. All changes that can be traced back to the same cause are given the same GenProcID and are grouped in this way. If a previously stored action does not pass a GenProcID to the current action, a new ID is automatically created.
If an action is triggered from the One Identity Manager’s object layer the GenProcID is written to the context data of the database connection. The logged in user is also noted in the context data and is made available in this way.
A new GenProcID is generated by the trigger if an action takes place directly in the database or through an application that works without the One Identity Manager object layer. This GenProcID is valid for the duration of the database connect, which means that all changes belong to the same action and link to the same GenProcID. The user data is made up of the database user’s name, the MAC address and the workstation name as well as the application name.
All actions (process triggers) that cause changes to the system, and their actual status information are logged internally in the status table DialogProcess. Logging takes place independent of the chosen change history method. This log writing therefore provides a starting point for monitoring and allows the changes based on one action to be grouped together.
The following information is recorded for one action:
- ID number (GenprocID)
- Display name for the action
- Base object that the action is triggered for
- User that triggered the action
- Time of action
- Object key for selecting the process trigger
- Comment on the action
- Current process status
|
|
Note: The information is displayed in Manager in the process view. For more detailed information, see the One Identity Manager Operational Guide. |
Detailed information about this topic
Logging data changes
|
|
Note: The information is displayed in Manager in the process view. For more detailed information, see the One Identity Manager Operational Guide. |
To log data changes
-
In Designer, check whether the configuration parameter Common | ProcessState is enabled. If not, set the configuration parameter.
-
In Designer, set the configuration parameter Common | ProcessState | PropertyLog.
When this configuration parameter is set, changes to individual values are logged and shown in the process view in Manager.
- (Optional) To log changes for the system part to properties that belong to an alternative key, enable in Designer the configuration parameter Common | ProcessState | PropertyLog |
AutoTrackAlternatePK. - (Optional) To log changes for the user data part to properties that belong to an alternative key, enable the configuration parameter Common | ProcessState | PropertyLog | AutoTrackAlternatePK | PayLoad in Designer.
- Label columns for which changes will be logged.
-
Label columns to be logged when an object is deleted.
TIP: If you set the configuration parameter Common | ProcessState | PropertyLog | AllDefaultPropertiesForModel in Designer, One Identity Manager schema columns are already labeled for logging changes and deletions. Define which columns are affected in the table QBMVDefaultHistoryColumns.
Add, change and delete operations can be recorded for objects. The trigger GenProcID is passed as well, so that the changes to one object can be grouped together. The data changes are stored in the tables DialogWatchOperation and DialogWatchProperty. An entry is also created in the status table DialogProcess for the triggering action.
The following information is collected for these operations:
- Adding an object
When a new object is added, the object key, object display name, date of insertion and user are logged.
- Changing an object
When a column is changed the old value, change date and user are logged. Depending on the configuration parameters Common | ProcessState | PropertyLog | AutoTrackAlternatePK and Common | ProcessState | PropertyLog | AutoTrackAlternatePK | PayLoad, changes to properties belonging to an alternative key are logged.
- Deleting an object
When an object is deleted, the columns to be logged an all primary key columns are logged. The value, deletion date and user are logged.
Related Topics
- Labeling columns for recording changes to data
- Basic rules for process monitoring
- Logging process information during process handling
Labeling columns for recording changes to data
|
|
TIP: If you set the configuration parameter Common | ProcessState | PropertyLog | AllDefaultPropertiesForModel in Designer, One Identity Manager schema columns are already labeled for logging changes and deletions. Define which columns are affected in the table QBMVDefaultHistoryColumns. |
To label a column for recording
- In Designer, select the One Identity Manager schema category.
- Select the table and start the Schema Editor with the task Show table definition.
- Select the column and then the Column properties view.
- Select the Miscellaneous tab and edit the following properties.
- Log changes: Set this option to log changes to data in the column.
-
Log changes when deleting: Set this option to record the column when the object is deleted.
Related Topics
Logging process information during process handling
|
|
Note: The information is displayed in Manager in the process view. For more detailed information, see the One Identity Manager Operational Guide. |
To log process information
-
In Designer, check whether the configuration parameter Common | ProcessState is enabled. If not, set the configuration parameter.
-
In Designer, check whether the configuration parameter Common | ProcessState | ProgressView is enabled. If not, set the configuration parameter. Select the scope of logging through the configuration parameter option.
Permitted values are:
- 1: Full process tracking Process information from all processes marked for process tracking is logged.
- 2: Web Portal tracking Only process information for process marked for process tracking the Web Portal is logged. (default)
-
Label the process and process steps for process tracking and define templates for event, process and process step process information.
You can set up templates for creating process information for processes, process steps and events with the Process Editor in the Designer. Use #LD notation for language-dependent definition of process information.
If the configuration parameter Common | ProcessState | ProgressView is enabled, the job generator creates entries in the status tables during process generation for processes, process steps and events with process information.
Right at the start, the Job Generator uses the GenProcID for the generating operation. If there is no GenProcID passed at runtime, a new one is automatically created. This ID is written to the global variable GenProcID for the current database connection object before the process is generated. It can therefore be used by all processes. All partial steps that are triggered by a generating operation are grouped together in this way and logged. Bulk operations such as synchronization and CSV import are an exception. In this case, a new GenProcID is created for each individual step in tracking the object changes and not for the process as a whole.
An entry is set up in the status table DialogProcessStep for each process step that is marked for tracking. For each process that has at least one such process step, an entry is made in the status table DialogProcessChain. For each generating operation that has caused an entry in the status table DialogProcessChain, an entry is written to the status table DialogProcess. At the same time, the Job Generator creates the display name for the process view by executing the given VB.Net expression for the process information.
The possible processing states and additional information available for the respective processing statuses are listed in the following tables.
| Process State | Description |
|---|---|
| Initial | <generated> ::= "G" |
| End of processing |
<finalstate> ::= <ended> | <failed> | <not executed> where: <ended> ::= "E" (processing successful) <failed> ::= "F" (processing unsuccessful) <not executed> ::= "N" (no longer accessible during processing) |
| In progress |
<workingstate> ::= <delayed> | <processing> [<ProcessStateAddON>] where: <delayed> ::= "D" (processing delayed) <Long delayed>::="L" (processing was put on hold) <processing> ::= "P" (in progress) <ProcessStateAddON> ( optional additional information) |
| Additional Information | Description |
|---|---|
| Processing deferred until |
<datetime> ::= <YYYY> - <MM> - <DD> <HH> : <NN> : <SS> where: <YYYY> ::= 1980..9999 <MM> ::= 01..12 <DD> ::= 01..31 <HH> ::= 00..23<NN> ::= 00..59 <SS> ::= 00..59 |
| Retries | <retryinfo> ::= 1..99 |