What are the minimum database permissions for IGA IMAG IM IG and IP PORTAL
search cancel

What are the minimum database permissions for IGA IMAG IM IG and IP PORTAL

book

Article ID: 204851

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

What are the minimum required permissions for the database to run initial installs and upgrades for the Identity Manager suite?

Resolution

Prerequisites for using IMAG Standalone or vApp with an external database 
==========================================================

============
= Overview =
============
1) The DBA should create new users and passwords (also known as "schemas" when using Oracle database) for each of the products that you intend to deploy:
   * Identity Manager
   * Identity Governance
   * Identity Portal
These users should be DBO for first time startup after initial install OR upgrade, After the first restart the permissions can be pruned as described below
2) The DBA should provide the above credentials to the Identity Suite Virtual Appliance administrator - to be configured and verified in the External Database configuration screen.
3) During the Virtual Appliance solution deployment, the databases will be automatically populated with tables. ===================================================================================================== ========================================= Identity Portal ========================================== ===================================================================================================== Oracle: ------- a. Create an Identity Portal database. b. Create a user with CONNECT and RESOURCE privileges on the Identity Portal database. c. Grant a quota to the tablespace of the Identity Portal database MS SQL: ------- a. Create an Identity Portal database. b. Create a user with DBO privileges on the Identity Portal databsae.
c. After Install or upgrade, you can change these to data_reader, data_writer ===================================================================================================== ========================================= Identity Manager ========================================== ===================================================================================================== Identity Manager uses 6 data sources: 1) Object Store 2) Task Persistence 3) Archive 4) Auditing 5) Snapshots (reporting) 6) Workflow You may either create a single user/schema for all of the above data sources, or decide to split schemas according to sizing requirements (you may either split all data-sources, or some of them) Oracle: ------- a. Create an Identity Manager database. b. Create a user with DBA privileges on the Identity Manager database. c. The tables will be created automatically by Identity Manager upon first run d. After the first run, you can revoke the DBA privilege and assign the following privileges instead: Create/alter/drop tables Create/alter/drop view Create/alter/drop INDEX Create/replace/drop stored procedures Create/replace/drop functions Create/drop sequence Create/replace/drop triggers Create/replace/drop types Insert/select/delete records CREATE SESSION / connect to database MS SQL: ------- a. Create an Identity Manager database. b. Create a user with DBO privileges on the Identity Manager database.
c. After Install or upgrade, you can change these to data_reader, data_writer ==================================================================================================== ======================================= Identity Governance ======================================== ==================================================================================================== MS SQL: ------- a. Enable XA transactions on the database (see https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/upgrading/Post-Upgrade-Tasks.html ) b. Create a login user on the Identity Governance database server (you may create separate users for each of the below databases) The login user needs to have the following SQL server roles: db_owner BulkAdmin DDLAdmin

c. After Install or upgrade, you can change these to data_reader, data_writer D. Create the following databases (you may change the names as you see fit) EUREKIFY_SDB TICKET_DB REPORT_DB WPDS Oracle: ------- a. Create the following users with CONNECT and RESOURCE privileges on the Identity Governance database (you may change the names as you see fit): EUREKIFY_SDB TICKET_DB REPORT_DB WPDS b. Grant a quota to the tablespace of the Identity Governance database c. Grant XA permissions on the database to the WPDS user as by running the following statements (for full details, see: https://access.redhat.com/solutions/22274 Note: A RedHat login account may be required to access the solution): GRANT SELECT ON sys.dba_pending_transactions TO <WPDS_USER>; GRANT SELECT ON sys.pending_trans$ TO <WPDS_USER>; GRANT SELECT ON sys.dba_2pc_pending TO <WPDS_USER>; GRANT EXECUTE ON sys.dbms_system TO <WPDS_USER>; GRANT FORCE ANY TRANSACTION TO <WPDS_USER>; Note: if XA permissions are not granted, the IG application server log will log the following warnings periodically: WARN [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016008: Local XARecoveryModule.xaRecovery - caught exception: java.lang.NullPointerException WARN [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016027: Local XARecoveryModule.xaRecovery got XA exception XAException.XAER_RMERR: