立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - Data Archiving Administration Guide

Change management

Initially, all changes made to data in One Identity Manager are saved in the One Identity Manager database. One Identity Manager historical data is transferred at regular intervals into a One Identity Manager History Database. Therefore, the One Identity Manager History Database provides an archive of change information. Statistical analyzes are carried out in the One Identity Manager History Database that simplify how trends and flows are presented. Historical data is evaluated using the TimeTrace function or using reports.

The following steps are required for setting up a working environment for the One Identity Manager History Database:

  • Setting up an Administrative Workstation

  • Creating and migrating the One Identity Manager History Database

  • Installing and configuring the One Identity Manager Service for the One Identity Manager History Database

  • Declaring the source database

  • Archiving procedure setup

Detailed information about this topic

Implementing a One Identity Manager History Database

All entries logged in One Identity Manager are initially saved in the One Identity Manager database. You must ensure that log entries are regularly removed from the One Identity Manager database and archived in a One Identity Manager History Database.

Logged data may be subject to further regulations such as statutory retention periods. It is recommended to operate One Identity Manager History Databases that correspond to the report periods. After a specified reporting period has expired, you can set up a new One Identity Manager History Database.

Depending on the volume of the One Identity Manager database data and the frequency at which it is changed, it might be necessary to create further One Identity Manager History Databases at certain intervals (such as yearly, quarterly, or monthly). The proportion of historical data to total volume of a One Identity Manager database should not exceed 25 percent. Otherwise, performance problems may arise.

Detailed information about this topic

Permissions for the One Identity Manager History Database on a SQL Server

The following users are identified for using a One Identity Manager History Database on a SQL Server with the granular permissions concept. User permissions at server and database level are matched to their tasks.

NOTE: If you want to switch to granular permissions when you update from 8.1.x at a later date, contact support. To access the Support Portal, go to https://support.oneidentity.com/identity-manager/.

  • Installation user

    The installation user is needed for the initial installation of a One Identity Manager History Database using the Configuration Wizard.

    NOTE: If you want to change to the granular permissions concept when you upgrade from version 8.0.x to 8.2.1, you will also require an installation user.

  • Administrative user

    The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

  • Configuration user

    The configuration user can run configuration tasks within One Identity Manager, For example, working with the Designer. Configuration users need permissions at the server and database levels.

  • End users

    End users are only assigned permissions at database level in order, for example, to complete tasks with the HistoryDB Manager.

For more information about minimum access levels for One Identity Manager tools, see the One Identity Manager Authorization and Authentication Guide.

Permissions for installation users

A SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of the sysadmin server role

    This server role is only required if the database is created by the Configuration Wizard and the directories for the file must be selected in the file browser. If the files are stored in the default database server directories, permissions are not necessary.

  • Member of securityadmin server role

    This server role is required to create SQL Server logins.

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

  • alter any server role permissions

    The permissions are required to create the server role for the administrative user.

msdb database:

  • Select permissions with the with grant option option for the dbo.sysjobs, sysjobstepsdbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules, and dbo.sysjobhistory tables

    The permissions are required to run and monitor database schedules.

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Run permissions with the with grant option option for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

  • Member of the SQLAgentUserRole database role

    This database role is required for managing database schedules during an update from version 8.0.x to version 8.2.1.

One Identity Manager History Database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database or a schema update is performed when installing the schema with the Configuration Wizard.

Permissions for administrative users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permissions

      The permissions are required to create the server role for the configuration user.

    • view any definition permissions

      The permissions are required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

      The permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to run database schedules.

    • Select permissions for the dbo.sysjobs, dbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules and dbo.sysjobhistory tables

      The permissions are required to run and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Run permissions for the xp_readerrorlog procedure

      The permissions are required to find out information about the database server's system status.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager History Database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Permissions for configuration users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • view server state and alter any connection permissions

      The permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager History Database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Run, and Create function permissions for the database

  • Config database user

    • Member of the OneIMConfigRoleDB database role

    • The database user is connected with the <DatabaseName>_Config SQL Server login.

Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager History Database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, and Delete permissions for selected tables in the database

    • View Definition permissions for the database

    • Run and References permissions for individual functions, procedures, and types

  • User database user

    • Member of the OneIMUserRoleDB database role

    • The database user is connected with the <DatabaseName>_User SQL Server login.

Tips for using integrated Windows authentication

Integrated Windows authentication can be used without restriction for the One Identity Manager Service and the web applications. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up a SQL Server login for the user account on the database server.

  • Enter dbo as the default schema.

  • Assign the required permissions SQL server login.

One Identity Manager History Database permissions in a managed instance Azure SQL Database

The following users are identified for using a One Identity Manager History Database in a managed instance in the Azure SQL Database with the granular permissions concept. User permissions at server and database level are matched to their tasks.

  • Installation user

    The installation user is needed for the initial installation of a One Identity Manager History Database using the Configuration Wizard.

  • Administrative user

    The administrative user is used by components of One Identity Manager that require authorizations at server level and database level, for example, the Configuration Wizard, the DBQueue Processor, or the One Identity Manager Service.

  • Configuration user

    The configuration user can run configuration tasks within One Identity Manager, For example, working with the Designer. Configuration users need permissions at the server and database levels.

  • End users

    End users are only assigned permissions at database level in order, for example, to complete tasks with the HistoryDB Manager.

For more information about minimum access levels for One Identity Manager tools, see the One Identity Manager Authorization and Authentication Guide.

Permissions for installation users

A SQL Server login and a database user with the following permissions must be provided for the installation user.

SQL Server:

  • Member of dbcreator server role

    The server role is only required if the database is created using the Configuration Wizard.

  • Member of securityadmin server role

    This server role is required to create SQL Server logins.

  • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

    The permissions are required to check connections and close these if necessary.

  • alter any server role permissions

    The permissions are required to create the server role for the administrative user.

msdb database:

  • Select permissions with the with grant option option for the dbo.sysjobs, sysjobsteps, dbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules, and dbo.sysjobhistory tables

    The permissions are required to run and monitor database schedules.

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

master database:

  • alter any user permissions

    The permissions are required to create the necessary database users for the administrative user.

  • alter any role permissions

    This permission is required to create the necessary database role for the administrative user.

  • Run permissions with the with grant option option for the xp_readerrorlog procedure

    The permissions are required to find out information about the database server's system status.

  • Run permissions with the with grant option option for the xp_sqlagent_is_starting, xp_sqlagent_notify, and xp_sqlagent_enum_jobs procedures

    The permissions are required to run and monitor database schedules.

One Identity Manager History Database:

  • Member of the db_owner database role

    This database role is only required if you wish to use an existing database or a schema update is performed when installing the schema with the Configuration Wizard.

Permissions for administrative users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for the administrative user:

SQL Server:

  • OneIMAdminRole_<DatabaseName> server role

    • alter any server role permissions

      The permissions are required to create the server role for the configuration user.

    • view any definition permissions

      The permissions are required to link the SQL Server logins for the configuration user and the end user with the corresponding database users.

  • <DatabaseName>_Admin SQL server login

    • Member of the OneIMAdminRole_<DatabaseName> server role

    • view server state permissions with the with grant option option and alter any connection permissions with the with grant option option.

      The permissions are required to check connections and close these if necessary.

msdb database:

  • OneIMRole_<DatabaseName> database role
    • Member of the SQLAgentUserRole database role

      The database role is required to run database schedules.

    • Select permissions for the dbo.sysjobs,sysjobsteps, dbo.sysjobschedules, dbo.sysjobactivity, dbo.sysschedules and dbo.sysjobhistory tables

      The permissions are required to run and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

master database:

  • OneIMRole_<DatabaseName> database role

    • Run permissions for the xp_readerrorlog procedure

      The permissions are required to find out information about the database server's system status.

    • Run permissions for the xp_sqlagent_is_starting, xp_sqlagent_notify, and xp_sqlagent_enum_jobs procedures

      The permissions are required to run and monitor database schedules.

  • OneIM_<DatabaseName> database user
    • Member of the OneIMRole_<DatabaseName> database role

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

One Identity Manager History Database:

  • Admin database user

    • Member in db_owner database role

      The database role is required to update a database with the Configuration Wizard.

    • The database user is assigned to the <DatabaseName>_Admin SQL server login.

Permissions for configuration users

During the installation of a One Identity Manager History Database using the Configuration Wizard, the following principal elements and permissions are created for configuration users:

SQL Server:

  • OneIMConfigRole_<DatabaseName> server role

    • view server state and alter any connection permissions

      The permissions are required to check connections and close these if necessary.

  • <DatabaseName>_Config SQL login

    • Member of the OneIMConfigRole_<DatabaseName> server role

One Identity Manager History Database:

  • OneIMConfigRoleDB database role

    • Create Procedure, Delete, Select, Create table, Update, Checkpoint, Create View, Insert, Run, and Create function permissions for the database

  • Config database user

    • Member of the OneIMConfigRoleDB database role

    • The database user is connected with the <DatabaseName>_Config SQL Server login.

Permissions for end users

The following principals are created with the permissions for end users during the installation of the One Identity Manager History Database with the Configuration Wizard:

SQL Server:

  • <DatabaseName>_User SQL login

One Identity Manager History Database:

  • OneIMUserRoleDB database role

    • Insert, Update, Select, and Delete permissions for selected tables in the database

    • View Definition permissions for the database

    • Run and References permissions for individual functions, procedures, and types

  • User database user

    • Member of the OneIMUserRoleDB database role

    • The database user is connected with the <DatabaseName>_User SQL Server login.

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级