Identity Manager 8.1 - Installation Guide

About this Guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing and updating an application server Installing the API Server Installing, configuring and maintaining the Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Error handling Appendix: Creating a One Identity Manager database for a test or development environment from a database backup Appendix: Extended configuration of the Manager web application Appendix: Machine roles and installation packages Appendix: Settings for a new SQL Server database

About this Guide

The One Identity Manager Installation Guide describes the installation and initial commissioning of One Identity Manager. It provides an overview of the architecture of One Identity Manager and the functions of the various One Identity Manager tools. It also provides information about the prerequisites you will need before installation of One Identity Manager, and how to set up, install, and update the components of One Identity Manager.

This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.

NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.

Available documentation

You can access the One Identity Manager documentation in Manager and in Designer by selecting Help | Search. The online version of the One Identity Manager documentation is available in the Support-Portal under Online-Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.

One Identity Manager overview

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self service and attestation for Active Directory with the One Identity Manager Active Directory Edition
  • Simplify access decisions for restructuring data with the One Identity Manager Data Governance Edition
  • Realize Access Governance demands cross-platform within your entire company with One Identity Manager

Every one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

One Identity Hybrid Subscription

Extend the functional scope of One Identity Manager with a One Identity Hybrid Subscription, which offers a range of additional cloud functions and services. Use the universal Starling Two-Factor Authentication to protect administrative access, to force an additional authentication if you request or approve a critical access, or in order to activate the out-of-brand user verification for password requirements. For an additional charge, these offers can also be extended to further target systems and application scenarios. A single subscription can be used for all your One Identity products.

One Identity Manager editions

One Identity Manager is available in the following editions.

Table 1: One Identity Manager editions
Edition Description

One Identity Manager

The edition contains all management modules (IT Shop & workflow, delegation, management of system roles and business roles, role mining, risk assessment, attestation, compliance, company policies, report subscriptions), as well as Unified Namespace and connectors for Active Directory.

One Identity Manager Active Directory Edition

This edition contains all the functionality required for Active Directory support including connectors for Active Directory, attestation, IT Shop and workflows, and report functions.

One Identity Manager Data Governance Edition

This edition contains the features required for data governance support including the connectors for Active Directory and SharePoint, risk assessment, attestation, compliance, company policies, delegation, report subscriptions, and the Data Governance service.

One Identity Manager architecture

Figure 1: Overview of the One Identity Manager components

One Identity Manager consists of the following components:

Database

The database represents the One Identity Manager kernel. It fulfills the main tasks, which are managing data and calculating inheritance. Object properties can be inherited along the hierarchical structures, such as, departments, cost centers, location or business roles. In the case of data management, the database maps the managed target systems, ERP structures as well as the compliance rules and access permissions.

The database is separated into two logical parts, payload and metadata. The payload contains all the information required to maintaining data, such as information about employees, user accounts, groups, memberships and operating data, approval workflows, attestation, recertification and compliance rules.

The meta data contains the description of the application data model and scripts for formatting roles and templates or conditional interactions. One Identity Manager’s entire system configuration, all the front-end control settings and the queues for asynchronous processing of data and processes are also part of the metadata.

Recalculation of inheritance is started by the database trigger logic. For this purpose, the triggers place processing tasks in a task list known as the DBQueue. The DBQueue Processor processes these tasks and recalculates inheritance of the respective database objects. A table labeled "JobQueue" is used to store processing orders that are to be executed by the object layer.

SQL Server is used as the database system.

Server Service

One Identity Manager uses so called 'processes' for mapping business processes. A process consists of process steps, which represent processing tasks and are joined by predecessor/successor relations. This functionality allows flexibility when linking up actions and sequences on object events. Processes are modeled using process templates. A process generator (Jobgenerator) is responsible for converting script templates in processes and process steps into a concrete process in the ’Job queue’.

The One Identity Manager Service server service is used to process the information managed in the One Identity Manager database within the network. The One Identity Manager Service performs data synchronization between the database and any connected target systems and executes actions at the database and file level. The One Identity Manager Service retrieves process steps from the JobQueue. Process steps are executed by process components. The One Identity Manager Service also creates an instance of the required process component and transfers the process step parameters. Decision logic monitors the execution of the process steps and determines how processing should continue depending on the results of the executed process components. The One Identity Manager Service enables parallel processing of process steps because it can create several instances of process components.

The One Identity Manager Service is the only One Identity Manager component authorized to make changes in the target system.

Application server

Clients connect to an application server storing business logic. The application server provides a connection pool for accessing the database and ensures a secure connection to the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved.

Clients can alternatively work without external application servers, by keeping the object layer themselves and accessing the database layer directly. In this case, only the part of the object layer required for the acquisition process is mapped in the clients.

Web server

There is an application running on a web server based on a web page render engine for implemented browser-based user interfaces. Via a web browser, users can access the website that has been dynamically set up and customized for them. Data exchange between database and web server can take place directly or through the application server.

Front ends

There are different front-ends for different tasks. For example, a different front-end is used to configure One Identity Manager as that for managing employee data. The contents to be displayed and the extent to which these can be altered is determined in conjunction with the access rights of the relevant user through the object layer. Available front-end solutions are client and browser based.

Figure 2: Overview of One Identity Manager Components without Application Server

Related Topics
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
联系我们
获得许可 帮助
技术支持
查看全部
相关文档