Many customers ask what are the minimum required permissions for the database to run initial install and upgrades for the IMAG suite.
Prerequisites for using IMAG Standalone or vApp with an external database ========================================================== ============ = Overview = ============ 1) The DBA should create new users and passwords (also known as "schemas" when using Oracle database) for each of the products that you intend to deploy: * Identity Manager * Identity Governance * Identity Portal
These users should be DBO for first time startup after inital install OR upgrade, After the first restart the permissions can be pruned as described below
2) The DBA should provide the above credentials to the Identity Suite Virtual Appliance administrator - to be configured and verified in the External Database configuration screen.
3) During the Virtual Appliance solution deployment, the databases will be automatically populated with tables. ===================================================================================================== ========================================= Identity Portal ========================================== ===================================================================================================== Oracle: ------- a. Create an Identity Portal database. b. Create a user with CONNECT and RESOURCE privileges on the Identity Portal database. c. Grant a quota to the tablespace of the Identity Portal database MS SQL: ------- a. Create an Identity Portal database. b. Create a user with DBO privileges on the Identity Portal databsae.
c. After Install or upgrade, you can change these to data_reader, data_writer ===================================================================================================== ========================================= Identity Manager ========================================== ===================================================================================================== Identity Manager uses 6 data sources: 1) Object Store 2) Task Persistence 3) Archive 4) Auditing 5) Snapshots (reporting) 6) Workflow You may either create a single user/schema for all of the above data sources, or decide to split schemas according to sizing requirements (you may either split all data-sources, or some of them) Oracle: ------- a. Create an Identity Manager database. b. Create a user with DBA privileges on the Identity Manager database. c. The tables will be created automatically by Identity Manager upon first run d. After the first run, you should revoke the DBA privilege and assign the following privileges instead: Create/alter/drop tables Create/alter/drop view Create/alter/drop INDEX Create/replace/drop stored procedures Create/replace/drop functions Create/drop sequence Create/replace/drop triggers Create/replace/drop types Insert/select/delete records CREATE SESSION / connect to database MS SQL: ------- a. Create an Identity Manager database. b. Create a user with DBO privileges on the Identity Manager database.
c. After Install or upgrade, you can change these to data_reader, data_writer ==================================================================================================== ======================================= Identity Governance ======================================== ==================================================================================================== MS SQL: ------- a. Enable XA transactions on the database (see https://docops.ca.com/ca-identity-governance/14-1/EN/upgrading/server-prerequisites#ServerPrerequisites-InstallXA) b. Create a login user on the Identity Governance database server (you may create separate users for each of the below databases) The login user needs to have the following SQL server roles: db_owner BulkAdmin DDLAdmin
c. After Install or upgrade, you can change these to data_reader, data_writer D. Create the following databases (you may change the names as you see fit) EUREKIFY_SDB TICKET_DB REPORT_DB WPDS Oracle: ------- a. Create the following users with CONNECT and RESOURCE privileges on the Identity Governance database (you may change the names as you see fit): EUREKIFY_SDB TICKET_DB REPORT_DB WPDS b. Grant a quota to the tablespace of the Identity Governance database c. Grant XA permissions on the database to the WPDS user as by running the following statements (for full details, see: https://access.redhat.com/solutions/22274): GRANT SELECT ON sys.dba_pending_transactions TO <WPDS_USER>; GRANT SELECT ON sys.pending_trans$ TO <WPDS_USER>; GRANT SELECT ON sys.dba_2pc_pending TO <WPDS_USER>; GRANT EXECUTE ON sys.dbms_system TO <WPDS_USER>; GRANT FORCE ANY TRANSACTION TO <WPDS_USER>; Note: if XA permissions are not granted, the IG application server log will log the following warnings periodically: WARN [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016008: Local XARecoveryModule.xaRecovery - caught exception: java.lang.NullPointerException WARN [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016027: Local XARecoveryModule.xaRecovery got XA exception XAException.XAER_RMERR: