Identity Manager 8.1 - Data Archiving Administration Guide

Change management

Initially, all changes made to data in the One Identity Manager are saved in the One Identity Manager database. One Identity Manager historical data is transferred at regular intervals into a One Identity Manager History Database. Therefore, the One Identity Manager History Database provides an archive of change information. Statistical analyzes are carried out in the One Identity Manager History Database that simplify how trends and flows are presented. Historical data is evaluated using the TimeTrace function or using reports.

Implementing a One Identity Manager History Database

When you implement the History Database, you should consider the effects it will have on performance. It might be necessary to create more One Identity Managers at certain intervals (for example, yearly, quarterly or monthly) depending on the amount of data in the One Identity Manager History Database database, the data to be logged and how often changes are made.

The following steps are required for setting up a working environment for the One Identity Manager History Database:

  • Setting up an Administrative Workstation
  • Creating and migrating the One Identity Manager History Database
  • Installing and configuring the One Identity Manager Service for the One Identity Manager History Database
  • Declaring the Source Database
  • Archiving procedure setup
Detailed information about this topic

Entitlements for the One Identity Manager History Database

The following different users are available for using a One Identity Manager History Database.

Installation user

The installation user is needed to carry out the initial installation of a One Identity Manager History Database with the Configuration Wizard. An SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of securityadmin server role

    This server role is required to create the SQL Server logins.

  • Permission view server state and permission alter any connection with the option with grant option

    These permissions are required to check connections and close these if necessary.

  • alter any server role permission

    This permission is required to create the server role for the administrative user.

msdb database:

  • Permission Select with the option with grant option for the tables dbo.sysjobs, dbo.sysjobschedules and dbo.sysjobactivity

    The permissions are required to execute and monitor database schedules.

  • alter any user permission

    This permission is required to create the necessary database users for the administrative user.

  • Permission alter any role

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permission

    This permission is required to create the necessary database users for the administrative user.

  • Permission alter any role

    This permission is required to create the necessary database role for the administrative user.

  • Permission Execute with the option with grant option for the procedure xp_readerrorlog

    This permission is required to find out information about the database server's system status.

One Identity Manager History Database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database when installing the schema with the Configuration Wizard.

Administrative user

The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

The following principal elements with the permissions are created for the administrative user during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permission

      This permission is required to create the server role for the configuration user.

    • view any definition permission

      The permission is required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • Permission view server state and permission alter any connection with the option with grant option

      These permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to execute database schedules.

    • Select permission for the dbo.sysjobs, dbo.sysjobschedules and dbo.sysjobactivity tables

      The permissions are required to execute and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Permission Execute for the procedure xp_readerrorlog

      This permission is required to find out information about the database server's system status.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager History Database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Configuration user

The configuration user can execute configuration tasks within the One Identity Manager, for example creatework with the Designer. Configuration users need permissions at the server and database levels.

The following principal elements with the permissions are created for configuration users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • Permission view server state and permission alter any connection

      These permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager History Database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Execute, Create function permissions for the database
  • Config database user

    • Member of the OneIMConfigRoleDB database role
    • The database user is connected with the <DatabaseName>_ConfigSQL Server login.
End users

End users are only assigned permissions at database level in order, for example, to complete tasks with the HistoryDB Manager.

The following principal elements with the permissions are created for end users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager History Database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, Delete permissions for selected tables in the database
    • View Definition permission for the database
    • Permissions Execute and References for individual function, procedures and types
  • User database user

    • Member of the OneIMUserRoleDB database role
    • The database user is connected with the <DatabaseName>_User SQL Server login.
Tips for using integrated Windows authentication

Integrated One Identity Manager Service authentication can be used for the Windows and web applications without restriction. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up an SQL Server login for the user account on the database server.
  • Enter dbo as the default schema.
  • Assign the required permissions SQL server login.

Advanced configuration for transferring data

There are tow scenarios for transferring data:

  • Scenario 1: The One Identity Manager History Database and One Identity Manager database are on the same database server.
  • Scenario 2: The One Identity Manager History Database and One Identity Manager database are on different database servers. The linked server is created by the One Identity Manager History Database's One Identity Manager Service.
  • Scenario 3: The One Identity Manager History Database and One Identity Manager database are on different database servers. There is a linked server available.
Scenario 1:

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, user Designer to create a database user in the One Identity Manager for transferring data.

To set up the database user in the One Identity Manager database

  1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

  2. Click and enter the following information:

    Login name: SQL Server The user's login name used for process handling in the History Database (DialogDatabase.ConnectionString).

    Database user: Name of the database user.

  3. Select the Database and server roles tab and assign the role Database: Data archiving role.

  4. Save the changes.

The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 2:

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, additional permissions are required for creating a linked server and for data transfer.

  • To create a linked server, the user for process handling in the History Database (DialogDatabase.ConnectionString) requires the following permissions at server level:

    • Permission alter any linked server

      This permission is required for creating and deleting a linked server. The linked server allows distributed queries to be executed.

    • Permission alter any login

      This permission is required for creating and deleting a login name assignment on the local server and a login name on the linked server.

  • Create an SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

    2. Click and enter the following information:

      Login name: SQL Server login for data transfer.

      Database user: Database user.

    3. Select the Database and server roles tab and assign the role Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 3:
  • Create an SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

    2. Click and enter the following information:

      Login name: SQL Server login for data transfer.

      Database user: Database user.

    3. Select the Database and server roles tab and assign the role Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

  • Set up the linked server and reference the SQL Server login for data transfer.

    To provide a linked server, it is recommended to use the SQL procedures sp_addlinkedserver, sp_setNetname and sp_addlinkedsrvlogin.

  • Keep the link server names ready. You need them when you declare the source database in the One Identity Manager History Database.

  • In the One Identity Manager History Database, enabled the configuration parameter HDB | UseNamedLinkedServer.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents