Chat now with support
Chat with Support

Identity Manager 9.3 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics The full-text search in One Identity Manager Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on using date values Tips for using PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD-notation Displaying messages in the user interface Referencing packages and files in scripts Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Committing and compiling script changes Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider Processing DBQueue Processor tasks Structure of the Jobservice.cfg configuration file

Enter file with private key for the One Identity Manager Service

In the File with private key module, enter the information on files with a private key. Use this parameter if you work with several private keys, for example, if One Identity Manager Service data must be exchanged between two encrypted One Identity Manager databases.

If no key is entered here, the private key file from the File with private key (PrivateKey) parameter of the JobServiceDestination is used.

To enter a file with a private key

  1. Click New and enter the following information:

    • Property: Enter the ID of the private key. The ID is expected in the JobServiceDestination in the Private key identifier parameter (PrivateKeyId). The default key has the ID Default.

    • Value: Enter the path of the private key file. You can enter the absolute or relative path to the One Identity Manager Service.

Example: Configuration in the file jobservice.cfg.

configuration>

<category name="privatekeys">

<value name="Default">private.key</value>

<value name="Key2">key2.key</value>

<value name="OtherKey">C:\Path\To\Other.key</value>

</category>

</configuration>

Related topics

Tracking changes with process monitoring

With One Identity Manager, it is possible to create a change history for objects and their properties. This can be used to fulfill reporting duties for internal committees and legal obligations for providing documentary evidence. Different methods can be used to track changes within One Identity Manager. With this combination of methods, all changes that are made in the One Identity Manager system can be traced.

  • Recording data modifications

    Modifications to data can be recorded for add or delete operations on objects, and up to and including changes to individual object properties.

  • Recording process information

    Recording process information allows all processes and process steps to be tracked while being processed by One Identity Manager Service.

  • Recording messages in the process history

    In the process history, success, and error messages from handling each process step in the Job queues are recorded by the One Identity Manager Service.

All entries logged in One Identity Manager are initially saved in the One Identity Manager database. The proportion of historical data to total volume of a One Identity Manager database should not exceed 25 percent. Otherwise, performance problems may arise. You must ensure that log entries are regularly removed from the One Identity Manager database and archived. For more information about archiving data, see the One Identity Manager Data Archiving Administration Guide.

Detailed information about this topic

Basic rules for process monitoring

To use process monitoring in One Identity Manager.

  1. In the Designer, check if the Common | ProcessState configuration parameter is set. If not, set the configuration parameter.

    If the configuration parameter is set, you can configure process monitoring. In addition, the process view is enabled in the Manager.

  2. You can control the extent of the logging using the configuration settings for each method.

The methods implemented by One Identity Manager allow monitoring of all modifications to the system that are triggered by a user action. Every action in One Identity Manager is labeled with a unique ID number. This UID is called a GenProcID. All changes that can be traced back to the same cause are given the same GenProcID and are grouped in this way. If a previously stored action does not pass a GenProcID to the current action, a new ID is automatically created.

If an action is triggered from the One Identity Manager’s object layer, the GenProcID is written to the context data of the database connection. The logged in user is also noted in the context data and is made available in this way.

A new GenProcID is generated by the trigger if an action takes place directly in the database or through an application that works without the One Identity Manager object layer. This GenProcID is valid for the duration of the database connect, which means that all changes belong to the same action and link to the same GenProcID. The user data is made up of the database user’s name, the MAC address and the workstation name as well as the application name.

All actions (process triggers) that cause changes to the system, and their actual status information, are logged internally in the DialogProcess status table. Logging takes place independent of the chosen change history method. This log writing therefore provides a starting point for monitoring and allows the changes based on one action to be grouped together.

The following information is recorded for one action:

  • GenProcID

  • Display name for the action

  • Base object that the action is triggered for

  • User that triggered the action

  • Time of action

  • Object key for selecting the process trigger

  • Comment on the action

  • Current process status

NOTE: The information is displayed in the Manager in the process view. For more information, see the One Identity Manager Operational Guide.

Detailed information about this topic

Logging data changes

NOTE: The information is displayed in the Manager in the process view. For more information, see the One Identity Manager Operational Guide.

To log data changes

  • In the Designer, check whether the Common | ProcessState configuration parameter is set. If not, set the configuration parameter.

  • In the Designer, set the Common | ProcessState | PropertyLog configuration parameter and compile the database.

    When this configuration parameter is set, changes to individual values are logged and shown in the process view in the Manager.

    If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the Conditional compilation using preprocessor conditions.

  • (Optional) To log changes for the user data part to properties that belong to an alternative key, in the Designer, set the Common | ProcessState | PropertyLog | AutoTrackAlternatePK | PayLoad configuration parameter.

  • (Optional) To log changes for the user data part to properties that belong to an alternative key, in the Designer, set the Common | ProcessState | PropertyLog | AutoTrackAlternatePK | PayLoad configuration parameter.

  • Label columns for which changes will be logged.

  • Label columns to be logged when an object is deleted.

    TIP: If you set the Common | ProcessState | PropertyLog | AllDefaultPropertiesForModel configuration parameter in the Designer, One Identity Manager schema columns are already labeled for logging changes and deletions. Define which columns are affected in the QBMVDefaultHistoryColumns table.

Add, change, and delete operations can be recorded for objects. The GenProcID trigger is also passed down so that the changes to one object can be grouped together. The data changes are stored in the DialogWatchOperation and DialogWatchProperty tables. An entry is also created in the status DialogProcess table for the triggering action.

The following information is collected for these operations:

  • Adding an object

    If a new object is added, the object key, object display name, date of insertion, and user are logged.

  • Changing an object

    If a column is changed the old value, change date, and user are logged. Depending on the Common | ProcessState | PropertyLog | AutoTrackAlternatePK and Common | ProcessState | PropertyLog | AutoTrackAlternatePK | PayLoad configuration parameters, changes to properties belonging to an alternative key are logged.

  • Deleting an object

    If an object is deleted, the columns to be logged an all primary key columns are logged. The value, deletion date and user are logged.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating