Chat now with support
Chat with Support

Identity Manager 9.1 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on message output Notes on using date values Tips for using Windows PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD-notation Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider Processing DBQueue tasks One Identity Manager Service configuration files

Dynamic foreign key

Dynamic foreign keys are used if a reference can point to different tables. For example, the manager of a user account (<MMM>Account.ObjectKeyManagertable) can be another user account (<MMM>Account table) or a group (<MMM>Group table).

Dynamic foreign keys reference the object key (XObjectKey) of the permitted tables. Permitted tables can be limited. All tables are permitted, if there are no restrictions. Restrictions are stored in the DialogValidDynamicRef table.

If you are defining custom dynamic foreign keys, at least one of the participating partners (dynamic foreign key column or referenced table) must be a custom object. It is not possible to extend predefined dynamic foreign keys by adding references to predefined tables.

To display a dynamic foreign key

  1. In the Designer, select the One Identity Manager schema category.

  2. Select the table and start the Schema Editor with the Show table definition task.

    Dynamic foreign keys are displayed under Dynamic table relations.

To define a dynamic foreign key

  1. In the Designer, select One Identity Manager Schema.

  2. Select the table and start the Schema Editor with the Show table definition task.

  3. Select the column and then the Column properties view.

  4. On the Miscellaneous tab, enter the following information.

    1. Enable the Dynamic foreign key option.

    2. If the dynamic key is part of a many-to-all table, enable the Part of key of many-to-all table option.

  5. Enter the following information on the Valid reference tables tab by clicking next to Dynamic referenced tables menu and enter the following information:

    Table 29: Properties of dynamic foreign keys
    Property Description

    Table

    Select the table to find the object key in.

    Parent relation constraint

    Constraint on the relation. Permitted values are:

    • Delete: Dependencies are not taken into account on deletion.

    • Delete Cascade: All dependent objects are deleted when this object is deleted.

    • Delete Restrict: The object can only be deleted when no more references to other objects exist.

    • Delete Set NULL: When deleting the object, references to the object being deleted are removed from all dependent object (SetNULL).

    Parent relation test instance

    Specifies who will run these referential integrity tests. Permitted values are:

    • DLL: Checks through the object layer.

    • Trigger: Triggers and constraints are implemented to monitor the database.

    Child relation constraint

    Constraint on the relation. Permitted values are:

    • Insert: Dependencies are not taken into account on insertion.

    • Insert Restrict: Checks for the referenced object when the object is added.

    Child relation test instance

    Specifies who will run these referential integrity tests. Permitted values are:

    • DLL: Checks through the object layer.

    • Trigger: Triggers and constraints are implemented to monitor the database.

    Only transport as group

    The column content is always transported together with the content of the referenced column.

    Parent object in Job queue

    Specifies whether the parent object is added to the list of objects affected by a process. This can prevent the parent object from being processed simultaneously more than once.

  6. Select the Database > Save to database and click Save.

Related topics

Supporting file groups

One Identity Manager supports file groups to group tables together to help with administration, data assigning and data distribution. A distinction is made between logical disk stores and physical disk stores.

In the default installation, logical disk stores are predefined for the table in each module of One Identity Manager and the system tables. You cannot change the assignments. You can create your own logical disk storage for grouping custom tables.

To define logical storage for custom tables

  1. In the Designer, select the One Identity Manager Schema > Logical disk stores category.

  2. Select the Object > New menu item.

  3. Enter a name and description for the logical storage.

  4. Assign custom tables to the logical disk store.

  5. Select the View > Select table relations menu item and enable the DialogTable table. This shows the Tables tab for assigning tables.

You can link logical storage with physical storage - the file groups - in the One Identity Manager schema.

If, for example, tables with employee data and tables with Active Directory content are created on different a data storage medium, performance can be improved by parallel access through your own E/A controller. Performance can also be improved if, for example, tables for processing DBQueue Processor tasks or table for handling processes in file groups are grouped together.

NOTE: You cannot move the following groups into other file groups. If you do so, proper functioning of the One Identity Manager database cannot be guaranteed.

  • DialogColumn

  • DialogTable

  • DialogValidDynamicRef

  • QBMDBQueueTask

  • QBMDBQueueTaskDepend

  • QBMModuleDef

  • QBMModuleDepend

  • QBMRelation

  • QBMViewAddOn

  • QBMDiskStoreLogical

  • QBMDiskStorePhysical

One Identity Manager supports the distribution of tables to file groups with a variety of database procedures that you run in a suitable program for running SQL queries in the database.

WARNING: Only carry out the following steps for implementing file groups, together with an experienced database administrator.

Ensure that the database cannot be accessed while file groups are being set up, for example, by the Job server, application server, web server, user interfaces, or the Web Portal. After restarting the DBQueue Processor, wait for all DBQueue tasks to be processed before reconnecting the database.

IMPORTANT: Select a user that you use for migrating the database to run the SQL queries.

To distribute tables to file groups under SQL Server

  1. Create your file groups. For more information about this, see the documents for your currently installed version of SQL Server.

  2. Synchronize the file groups to the One Identity Manager database. Run the query below using a suitable program for carrying out SQL queries in the database.

    exec QBM_PDiskStorePhysicalSync

  3. In the Designer, assign physical storage to logical storage.

    1. In the Designer, select the One Identity Manager Schema > Logical disk stores category.

    2. Select the logical disk store and in the Properties view, select the file group under Physical disk store.

    3. Select the Database > Save to database and click Save.

  4. Disable processing of DBQueue Processor tasks and process handling. Run the queries below using a suitable program for carrying out SQL queries in the database.

    exec QBM_PWatchDogPrepare 1

    exec QBM_PDBQueuePrepare 1

  5. Move the tables into the configured file groups. Run the query below using a suitable program for carrying out SQL queries in the database.

    exec QBM_PTableMove

  6. Reactivate the DBQueue Processor. Run the queries below using a suitable program for carrying out SQL queries in the database.

    exec QBM_PDBQueuePrepare 0,1

    exec QBM_PWatchDogPrepare

Editing the user interface

Certain components of the One Identity Manager’s graphical user interface are stored in the One Identity Manager schema and can be tailored to suit customer requirements. Menu items in the navigation structure, interface forms, and task definitions can be configured in this way.

Menu items, interface forms, and task definitions are assigned to permissions groups. The user's effective components of the user interface depend on the authentication module used for logging in to the One Identity Manager tools. If a user logs in to a One Identity Manager tool, a system user is found and the available menu items, interface forms, task definitions, and individual program functions are identified depending on the permission groups to which this system user belongs and the adapted user interface is loaded.

Data is displayed as objects in the user interface. User interface objects are meta-objects. You provide a selection of configurable elements that describes how the data stored in the database is perceived. These objects enable data to be distinguished by specific properties. They provide an additional control function for configuring the user interface. Hence, interface forms and tasks are linked to object definitions, which means that different forms and tasks are displayed in the user interface depending on which object is selected.

You can only modify the supplied user interface components to a certain extent and they are overwritten by schema installation. You can integrate components of the default user interface into your own user-defined user interface. If necessary you can disable individual components of the default user interface to stop them from being displayed. The system users provided are not effected by this limitation. Components labeled as disabled remain so after schema installation.

Captions are used in the user interface to create user friendly names for different components of the user interface such as menu items, tasks, and column names. You can maintain multi-language display text in One Identity Manager which enables you to display captions in different languages.

The default One Identity Manager installation is supplied in the English - United States [en-US] and German - Germany [de-DE] language. You can add other languages to the user interface and display text if required. In this instance, you must translate the text before One Identity Manager goes live. There is a Language Editor in the Designer to help you do this. A special control is provided in the One Identity Manager tools that aids multi-language input.

A user interface is always set up for one application. The standard version of One Identity Manager includes the applications and predefined navigation for the Manager, Designer, and Launchpad tools.

Detailed information about this topic

Object definitions for the user interface

The data in the user interface is represented by objects. Objects in the user interface map the data stored in the database. These objects can be configured and enable data to be distinguished by specific properties.

User interface forms and task definitions are linked to object definitions and displayed depending on the selected object definition. Object definitions provide an additional control function for configuring the user interface.

You can assign several objects to each table in the One Identity Manager schema. Basically, each database table should have at least one object definition that is generally valid, that means, without limited selection criterion. Other object definitions then relate to the respective special case limited by the general case.

TIP: To create object definitions for new tables, run the Missing DialogObject consistency check in the Designer and use the repair method. You must edit object definitions created like this afterward.

Table 30: Example relationship between tables and user interface object definitions
Table Object definition Limitation according to Object Definition

ESet

System roles (ESet)

None

ESet

System roles for IT Shop (ESet_ITShop)

System roles that can be excluded from the IT Shop

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating