Change management
Initially, all changes made to data in One Identity Manager are saved in the One Identity Manager database. You must ensure that log entries are regularly removed from the One Identity Manager database and archived in a One Identity Manager History Database. In this way, the One Identity Manager History Database provides an archive of change information. Statistical analyzes are carried out in the One Identity Manager History Database that simplify how trends and flows are presented. Historical data is evaluated using the TimeTrace function or using reports.
NOTE: Any number of One Identity Manager History Databases can be used for analyzing historical data in the TimeTrace and in reports. Not only are One Identity Manager History Databases in the current format supported, but older formats in read-only mode also.
Logged data may be subject to further regulations such as statutory retention periods. It is recommended to operate One Identity Manager History Databases that correspond to the report periods. After a specified reporting period has expired, you can set up a new One Identity Manager History Database.
Depending on the volume of the One Identity Manager database data and the frequency at which it is changed, it might be necessary to create further One Identity Manager History Databases at certain intervals (such as yearly, quarterly, or monthly). The proportion of historical data to total volume of a One Identity Manager database should not exceed 25 percent. Otherwise performance problems may arise.
Setting up a One Identity Manager History Database requires the following steps:
-
Installing the One Identity Manager History Database
-
Declaring a One Identity Manager History Database in the One Identity Manager database
-
Archiving procedure setup
Detailed information about this topic
Installing a One Identity Manager History Database
Installation of a One Identity Manager History Database is similar to that of a One Identity Manager database. For more information about the system prerequisites and how to install a database, see the .One Identity Manager Installation Guide.
Use the One Identity Manager History Database to set up the Configuration Wizard.
IMPORTANT: Always start the Configuration Wizard on an administrative workstation.
To install a database in the Configuration Wizard
-
Start the Configuration Wizard.
-
On the Configuration Wizard's home page, select the Create and install database option and click Next.
-
To install a new database, enter the following database connection data on the Create administrative connection page.
-
Server: Database server.
-
(Optional) Windows Authentication: Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.
-
User: SQL Server Login name of the installation user.
-
Password: Password for the installation user.
- OR -
To use an existing empty database, on the Create administrative connectionpage, select the Use an existing, empty database for installation option and enter the database connection information.
-
Server: Database server.
-
(Optional) Windows Authentication: Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.
-
User: SQL Server Login name of the installation user.
-
Password: Password for the installation user.
-
Database: Name of the database.
TIP: To configure additional connection settings, enable the Advanced option.
-
If you are creating a new database, perform the following tasks on the Create database page.
-
In the Database properties view, enter the following information about the database.
Table 1: Database properties
Database name |
Name of the database. |
Data directory |
Directory in which the data file is created. You have the following options:
-
<default>: The database server’s default directory.
-
<browse>: Select a directory using the file browser.
-
<directory name>: Directory in which data files are already installed. |
Log directory |
Directory in which the transaction log file is created. You have the following options:
-
<default>: The database server’s default directory.
-
<browse>: Select a directory using the file browser.
-
<directory name>: Directory in which transaction log files are already installed. |
Memory tables directory |
Directory for data file group and database file for memory-optimized tables. You have the following options:
-
<default>: The database server’s default directory.
-
<browse>: Select a directory using the file browser.
-
<Directory name>: Directory in which data files for memory-optimized tables are already installed. |
Initial size |
Initial size of the database files. You have the following options:
-
<Default>: Default entry for the database server.
-
<custom>: User-defined entry.
-
Different recommended sizes: Depending on the number of employees being administrated. |
-
In the Installation source pane, select the directory with the installation files.
- OR -
If you are using an existing database, on the Create database page, Installation source view, select the directory containing the installation files.
-
On the Select configuration modules page, select the Data archiving configuration module.
-
The installation steps are shown on the Processing database page.
Installation and configuration of the database are automatically carried out by the Configuration Wizard. This procedure may take some time depending on system performance. Once processing is complete, click Next.
TIP: Set Advanced to obtain detailed information about processing steps and the migration log.
-
On the last page of the Configuration Wizard, click Finish.
Additional configuration steps are required after the schema installation:
TIP: Alternatively, you can create the One Identity Manager History Database using the Quantum.MigratorCmd.exe command line program.
Calling example:
quantum.migratorcmd.exe
/connection="Data Source=<Database server>;Initial Catalog=<Database>;User ID=<Database user>;Password=<Password>"
--Install
/Module="HDB"
/System=MSSQL
/LogLevel= Info
/Destination=<source folder>
For more information about the Quantum.MigratorCmd.exe command line program, see the One Identity Manager Operational Guide.
Related topics
Declaring a One Identity Manager History Database in the One Identity Manager database
The One Identity Manager Service service ensures data transfer from the One Identity Manager database to the One Identity Manager History Database. Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace. Use the Designer to set up access to the One Identity Manager History Database.
NOTE: Any number of One Identity Manager History Databases can be used for analyzing historical data in the TimeTrace and in reports. Not only are One Identity Manager History Databases in the current format supported, but older formats in read-only mode also.
NOTE: Only one One Identity Manager History Database can be used as a destination for data transfer at a time, all other databases are read-only.
There are different ways to establish a connection to a One Identity Manager History Database:
Connecting a One Identity Manager History Database through an application server
Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace. Use the Designer to set up access to the One Identity Manager History Database.
Prerequisites for connecting a One Identity Manager History Database through an application server
-
Declaring the One Identity Manager History Database in the TimeTrace, requires an ID.
-
An ID for the One Identity Manager History Database connection is entered in the application server’s configuration file (web.config).
-
Enter a unique ID for each One Identity Manager History Database.
-
The ID must be entered in all application servers that can be used by users to log in to the Manager.
-
The ID must be entered for the application server that the One Identity Manager Service uses to connect.
-
The Manager and the Web Portal use the application server to log in. Otherwise the evaluation of the data changes in TimeTrace or in reports is not possible.
-
To generate and send report subscriptions and reports by email that show changes to data, there must be a Job server set up over an application server.
For more information about setting up a Job server and about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.
To link a One Identity Manager History Database into a TimeTrace
-
Use the Designer to log in to the One Identity Manager database.
-
In the Designer, select the Base Data > General > TimeTrace databases category.
-
Select the Object > New menu item.
-
Ensure that the Use ID from application server option is set.
-
In History database name, enter the name of the One Identity Manager History Database.
-
In the Connection parameter (read) field, enter the ID for connecting to the One Identity Manager History Database.
The ID must match the ID in the application server’s configuration file.
-
On the One Identity Manager History Database, where the data from the One Identity Manager database will be archived:
-
Enable the Current transport target option.
-
In the Connection parameter (transport) field, enter the connection parameters for connecting to the One Identity Manager History Database.
-
Select the Database > Save to database and click Save.
NOTE: Set the Disabled option to disable the connection at a later time. If a One Identity Manager History Database is disabled, it is not taken into account when determining change data in the TimeTrace.
To configure an ID in the application server for connecting to the One Identity Manager History Database
-
During installation of the application server, enter the ID for connecting to the One Identity Manager History Database.
-
To connect a One Identity Manager History Database at a later date, enter the ID for connection in the application server’s configuration file (web.config) in the <connectionStrings> section.
Example:
<connectionStrings>
...
<add name="<History Database ID>" connectionString="Data Source=<database server>;Initial Catalog=<database name>;User ID=<database user>;Password=<password>"/>
...
</connectionStrings>
NOTE:
The connection credentials in the application server’s configuration file are encrypted with the default Microsoft ASP.NET encryption. If you want to change the connection credentials later, you must decrypt them first and then encrypt them again afterward. Use ASP.NET IIS registration tool to decrypt and encrypt (Aspnet_regiis.exe).
Example call:
Decrypt: aspnet_regiis.exe -pdf connectionStrings <path to web application in IIS>
Encrypting: aspnet_regiis.exe -pef connectionStrings <path to web application in IIS>
Related topics