Chat now with support
Chat with Support

Identity Manager 8.1 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Adjusting the One Identity Manager base configuration One Identity Manager schema basics Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Localization in One Identity Manager Process orchestration in One Identity Manager
Setting up Job servers in Designer Configuring the One Identity Manager Service Handling processes in One Identity Manager
Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration SOAP Web Service One Identity Manager as SPML provisioning service provider Processing DBQueue tasks Appendix: Configuration files of the One Identity Manager Service

Using table scripts

Table scripts help you to define actions that are executed before or after saving, loading or discarding an object. In this way, substantial changes or value checks that cannot be easily done with formatting rules or templates, can be made to an object by running a table script before it is saved. After the object is saved, changes to other objects can be made or task and processes can be generated with table scripts, for example. The side effect and tasks defined in the Customizer are applied following the table scripts.

You can customize predefined default table scripts and create your own additional table scripts. Table scripts are stored in VB.Net syntax which allows use of all VB.Net script functions.

To add table scripts

  1. In Designer, select One Identity Manager schema.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. In the Table properties view, select the Table scripts tab and create the required scripts.

    Table 23: Table scripts
    Script Description
    Script (OnDiscarded) The script is run after the object is discarded.
    Script (OnDiscarding) The script is run before the object is discarded.
    Script (OnLoaded) The script is run after the object is loaded.
    Script (OnSaved) The script is run after the object is saved.
    Script (OnSaving) The script is run before the object is saved.

IMPORTANT: Compile the database to bring the table scripts into effect.

Related Topics

Editing table relations

As you can see from the One Identity Manager data model, parent/child relations exist between objects. When an object is processed by a One Identity Manager DLL, all ForeignKey (FK) objects that are related to this object can be accessed. Use VB.Net notation to access objects access using relations.

Figure 10: Parent/Child Relation using the Example of an Employee ADSAccount

NOTE: You can always edit table relations of custom tables. Table relation supplied with the default tables can only be edited if the referential integrity has been tested using the DLL.

To edit table relations

  1. In Designer, select One Identity Manager schema.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the table relation and edit the following properties in the Relation properties view.
Table 24: Table Relation Properties
Property Description
Display name Language-dependent relation for displaying in the administration tool’s user interface.
Only transport as group

Specifies if the contents of the table should be transferred together with the contents of the referenced table during data transports. You can combine the values.

Permitted values are:

No value

Dependencies are not taken into account.

CR direction

All objects that refer to this object are also exported. Superset handling is carried out.

FK direction

All objects referenced by a foreign key are also exported. Superset handling is carried out.

Ignore in superset handling

Referenced objects that are in the target system but not included in the transport package are not deleted.

Example:

When a process is transported (JobChain table), the process steps (Job table), events (JobChain table) and the process step parameters (JobRunParameter table) should also be transported. This should happen whether or not the process, a single process step or a process step parameter is transferred to a transport package. The table relations are labeled with the values CR direction and FK direction.

The parameter templates (JobParameter table) that are used in the (JobRunParameter table) process step parameters must not be transferred during the transport. The table relations are not labeled with a value.

Update dependencies modification date When many-to-many entries are added, changed or deleted the value in the XDateSubItem column in one of the parent entries is updated. Required for provisioning memberships in the target system.
Export for SPML schema This option determines whether the table relation should be exported for the SPML schema.
Parent column Unique parent column identifier.
Configurable parent relation Specifies whether referential integrity can be configured.
Parent relation test instance

Specifies how referential integrity is tested. Through DLL, Trigger or Nothing.

Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

Parent relation constraint Constraint on the relation, for example, IR - Insert Restrict.
Generated restriction test for parent relation Abbreviation for triggers and constraints generated automatically by the DBQueue Processor.
Connected column Unique connected column identifier.
Configurable child relation Specifies whether referential integrity can be configured.
Child relation test instance

Specifies how referential integrity is tested. Through DLL, Trigger or Nothing.

Triggers and constraints are implemented to monitor the database. The triggers and constraints are created automatically and modified as necessary taking the preset restrictions of the DBQueue Processor into account. In the case of customized tables, specify the test instance and the limitations of the One Identity Manager schema extension.

Child relation constraint Relation restriction, for example, IR - Insert Restrict.
Generated restriction test for child relation Abbreviation for triggers and constraints generated automatically by the DBQueue Processor.
Relation ID Relation identifier. This is used for both directions.
M:N relation Can relation be reached using an many-to-many relation?
table relation

Unique identifier for table relation.

Relation (base) Link to underlying base relation assuming a view is part of a the relation.
Relation (M:N) Unique identifier for the M:N relation.
Table 25: Permitted Restrictions for Testing Referential Integrity
Restriction Description
DeleteNotRestricted (D) Dependencies are not taken into account on deletion.
DeleteRestrict (DR) The object can only be deleted when no more references to other objects exist.
DeleteCascade (DC) All dependent objects are deleted when this object is deleted.
DeleteSetNULL (DS) When deleting the object, references to the object being deleted are removed from all dependent object (SetNULL).
InsertNotRestricted (I) Dependencies are not taken into account on insertion.
InsertRestrict (IR) Checks for the referenced object when the object is added.
Related Topics

Working with a Globally Unique Identifier module

To transport, for example, predefined reports, processes, workflows or mail definitions with a complete system configuration transport, the objects require a primary key with a module GUID. These are objects are identified as part of the system configuration through the module GUID.

Syntax

The table primary key has the format CCC-[0-9,a-f](32).

NOTE: Entries with a module GUID are transferred automatically to the transport package when a transport of the entire system configuration is created.

You can use the following table definition settings for generating a module GUID:

  • If the options Module GUID permitted and Module GUID required are enabled, the objects have to get a module GUID. The objects in this type of labeled tables are given the module prefix CCC.
  • If only Module GUID permitted is enabled, the objects can get a module GUID in the required format. By default, the objects obtain a default GUID in the format [0-9,a-f](8-4-4-4-12). Create the objects with the prefix CCC if they should obtain a module GUID. You can do this using the Object Browser.
Example
  • The DialogGroup table has the options Module GUID required and Module GUID permitted enabled. When creating a new permissions group, the primary key is automatically generated in the format of a module GUID.
  • For the AERole table only the option Module GUID permitted is set. To ensure that your own application roles are added to the transport package, create the application roles in the Object Browser with a module GUID.

NOTE:

  • In the default case, the table's primary key is created with a default GUID. To subsequently change a default GUID to a module GUID, you use the Object Browser.
  • GUIDs in tables that are labeled with IsNoReload = 1 in the QBM_VHeavyLoadTables view cannot be changed.

IMPORTANT: Do not execute the following steps for production databases. Only perform these steps within the maintenance window. Otherwise, this could lead to inconsistent data.

To change a default GUID to a module GUID

  1. In Object Browser select the object for which you want to change the default GUID.
  2. Display the Properties context menu.
  3. On the Methods tab select the SwitchToModuleGuid() method and click Execute.

To change a module GUID to a default GUID

  1. In Object Browser select the object for which you want to change the module GUID.
  2. Display the Properties context menu.
  3. On the Methods tab select the SwitchToNormalGuid() method and click Execute.
Related Topics

Templates for generating values

Value templates are implemented in the One Identity Manager for generating user data or for transforming values. You can use these templates to fill object properties with default values or to form property values from other properties. Value templates can take effect within an object as well as between objects. Value templates without dependencies take effect when the value is queried in the column and the column does not have a value assigned. Value templates that refer to other columns are affected when these columns change.

Value templates take effect without regard to the current rights situation. No explicit rights need to be assigned to the dependent columns. When value templates are applied, the accessed columns of an object are also filled if they are not visible on the current form in the Manager program.

Column dependencies due to value templates are mapped in the table DialogNotification. The connected properties are shown in the table as sender-subscriber pairs. The column that caused the change is the sender and the column that is changed because of it, is the subscriber. The object links are consolidated by the column relations. The entries are created when the value templates are compiled and updated.

NOTE: You can get an overview of existing columns with value templates in One Identity Manager Schema | Templates in Designer. Column dependencies due to value templates are mapped in the schema overview in theSchema Editor.

Detailed information about this topic
Related Topics
Related Documents