Chat now with support
与支持团队交流

Identity Manager 8.1 - Installation Guide

About this Guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing and updating an application server Installing the API Server Installing, configuring and maintaining the Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Error handling Appendix: Creating a One Identity Manager database for a test or development environment from a database backup Appendix: Extended configuration of the Manager web application Appendix: Machine roles and installation packages Appendix: Settings for a new SQL Server database

Minimum system requirements for the database server

A server must meet the following system requirements for installation of a One Identity Manager database. Depending on the number of One Identity Manager modules and the accounts managed in One Identity Manager, the requirements for working memory, hard disk storage, and processors may be significantly greater than the minimum requirements.

Table 5: Minimum System Requirements - Database Server

Processor

8 physical cores 2.5 GHz+

NOTE: 16 physical cores are recommended on the grounds of performance.

Memory

16 GB+ RAM

Hard drive storage

100 GB

Operating system

Windows operating systems

  • Note the requirements of Microsoft for the version of SQL Server you are using.

UNIX and Linux operating systems

  • Note the operating system manufacturer's minimum requirements for SQL Server databases.

Software

Following versions are supported:

  • SQL Server 2017 Standard Edition (64-bit) with the current cumulative update

  • SQL Server 2016 Standard Edition (64-bit), Service Pack 2 with the current cumulative update

NOTE: For performance reasons, the use of SQL Server Enterprise Edition is recommended.

  • SQL Server Management Studio (recommended)

NOTE: In virtual environments, you must ensure that the VM host provides performance and resources to the database server according to system requirements. Ideally, resource assignments for the database server are fixed. Furthermore, optimal I/O performance must be provided, in particular for the database server. For more information about virtual environments, see Product Support Policies.

Related Topics

Database server settings and the One Identity Manager database

For installation and operation of a One Identity Manager database, the following database server and database settings are required:

Table 6: Database Server Settings

Property

Value

Comment

Language

English

 

Server Collation

Case insensitive

SQL_Latin1_General_CP1_CI_AS (empfohlen)

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Extreme transaction processing supported (is XTP supported)

True

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses. The database server must support extreme transaction processing (XTP). This function is activated by default in a standard installation.

The setting is tested by the One Identity Manager before installing or updating Configuration Wizard database. If XTP is not activated, the installation or update is not started.

SQL Server Agent

Started

Start the SQL Server Agent in the SQL Server Service Management Portal. You can log in on an SQL Server Agent as a domain user with Windows authentication or with a local system account.

The setting is tested by the One Identity Manager before installing or updating Configuration Wizard database. If the SQL Server Agent is not started, the installation or update is not started.

Table 7: Database Settings

Property

Value

Comment

Collation

SQL_Latin1_General_CP1_CI_AS

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Recovery model

Simple

The setting is tested by the One Identity Manager before installing the Configuration Wizard database. If the recovery model is not set to the value Simple, the installation is not started.

Compatibility level

SQL Server 2016 (130)

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Create Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Auto Update Statistics Asynchronously

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Arithmetic Abort enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Quoted Identifiers Enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Broker Enabled

True

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Is Read Committed Snapshot On

True

The default setting for transactions is AutoCommit. If transactions are required, they are opened explicitly.

These settings have proven to provide the best balance between data security and performance for One Identity Manager's massive parallel processing. Other transaction modes are not supported by One Identity Manager.

The setting is checked by the Configuration Wizard before installing or updating the One Identity Manager database and adjusted for the database if necessary.

Database file and date file group for memory-optimized tables

Required

One Identity Manager uses In-Memory-OLTP (Online Transactional Processing) for memory-optimized data accesses.

For the creation of memory-optimized tables, the following prerequisites must be met:

  • A database file with the file type Filestream data must exist.
  • A memory-optimized data filegroup must exist.

Before installation or update of the One Identity Manager database, the Configuration Wizard checks whether these requirements are fulfilled.

In Configuration Wizard, repair methods are offered in order to create the database file and the data file group. The database file is created by the repair method in the directory of the data file (*.mdf).

For more information about the named database server properties, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/view-or-change-server-properties-sql-server.

For detailed information about the database properties, see https://docs.microsoft.com/en-us/sql/relational-databases/databases/view-or-change-the-properties-of-a-database and https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-databases-transact-sql.

Related Topics

Permissions for the One Identity Manager database

The following different users are available for using a One Identity Manager database.

Installation user

The installation user is needed to carry out the initial installation of a One Identity Manager database with the Configuration Wizard. An SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of securityadmin server role

    This server role is required to create the SQL Server logins.

  • Permission view server state and permission alter any connection with the option with grant option

    These permissions are required to check connections and close these if necessary.

  • alter any server role permission

    This permission is required to create the server role for the administrative user.

msdb database:

  • Permission Select with the option with grant option for the tables dbo.sysjobs, dbo.sysjobschedules and dbo.sysjobactivity

    The permissions are required to execute and monitor database schedules.

  • alter any user permission

    This permission is required to create the necessary database users for the administrative user.

  • Permission alter any role

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permission

    This permission is required to create the necessary database users for the administrative user.

  • Permission alter any role

    This permission is required to create the necessary database role for the administrative user.

  • Permission Execute with the option with grant option for the procedure xp_readerrorlog

    This permission is required to find out information about the database server's system status.

One Identity Manager database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database when installing the schema with the Configuration Wizard.

Administrative user

The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

The following principal elements with the permissions are created for the administrative user during the installation of the One Identity Manager database with the Configuration Wizard:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permission

      This permission is required to create the server role for the configuration user.

    • view any definition permission

      The permission is required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • Permission view server state and permission alter any connection with the option with grant option

      These permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to execute database schedules.

    • Select permission for the dbo.sysjobs, dbo.sysjobschedules and dbo.sysjobactivity tables

      The permissions are required to execute and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Permission Execute for the procedure xp_readerrorlog

      This permission is required to find out information about the database server's system status.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Configuration user

The configuration user can execute configuration tasks within the One Identity Manager, for example createcustom schema extensions or work with the Designer. Configuration users need permissions at the server and database levels.

The following principal elements with the permissions are created for configuration users during the installation of the One Identity Manager database with the Configuration Wizard:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • Permission view server state and permission alter any connection

      These permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Execute, Create function permissions for the database
  • Config database user

    • Member of the OneIMConfigRoleDB database role
    • The database user is connected with the <DatabaseName>_ConfigSQL Server login.
End users

End users are only assigned permissions at database level in order, for example, to complete tasks with the Manager or the Web Portal.

The following principal elements with the permissions are created for end users during the installation of the One Identity Manager database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, Delete permissions for selected tables in the database
    • View Definition permission for the database
    • Permissions Execute and References for individual function, procedures and types
  • User database user

    • Member of the OneIMUserRoleDB database role
    • The database user is connected with the <DatabaseName>_User SQL Server login.
Tips for using integrated Windows authentication

Integrated One Identity Manager Service authentication can be used for the Windows and web applications without restriction. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up an SQL Server login for the user account on the database server.
  • Enter dbo as the default schema.
  • Assign the required permissions SQL server login.

Minimum system requirements for administrative workstations

One Identity Manager administration and configuration tools are installed on an administrative workstation in order to edit and display data.

The following system prerequisites must be guaranteed for installing tools on an administrative workstation.

Table 8: Minimum System Requirements - Administrative Workstations

Processor

4 physical cores 2 GHz+

Memory

4 GB+ RAM

Hard drive storage

1 GB

Operating system

Windows operating systems

Following versions are supported:

  • Windows 10 (32-bit or 64-bit) minimum version 1511
  • Windows 8.1 (32-bit or 64-bit) with the current Service Pack
  • Windows 7 (32-bit or non-Itanium 64-bit) with the current service pack

Additional software

  • Microsoft .NET Framework Version 4.7.2 or later

Supported browsers

  • Internet Explorer 11 or later
  • Firefox (Release Channel)
  • Chrome (Release Channel)
  • Microsoft Edge (Release Channel)
相关文档