Hello, and welcome to Identity Manager, the unknown unknowns for developers. My name is Marcus Weisz-Ehlers.
What are we talking about when I'm saying the unknown unknowns for developers? For me, these other things that are really helpful in your day-to-day business as the implementation partner, or as a customization engineer but that are not so commonly known. And that's why I'm starting with the Object Browser debugging feature which I think is very helpful to understand how the system is working internally when our template's executed and process starter and so on.
And then I will talk about the types of database model that is going to help you to save a lot of precious development time. I want to show the One Identity Manager PowerShell module that is available, and then I'm going to focus on one of the most commonly seen errors you can make but can be easily avoided. This is in section [INAUDIBLE]
And then I want to show you or give you a sneak-peek of some of the future enhancements that are coming with the next version of One Identity Manager that helps you around implementation and operation.
So, let's get started. Object Browser Debugging allows you to start your debugging process of scripts, templates, formats, or processes right in the Object Browser. You can manage the breakpoints in the Object Browser so you find where to stop for summary execution of the script, execution of a template. Then you execute your operation, and where the breakpoint has set images to do, you can debug it right away. I'm going to demonstrate this now.
I'm starting my presentation of the October Browser Debugging feature with the database compiler, and if you do have the program function common compiler for the AccuSign, you can see here that-- addtions checkbox to give debug information, click on that, and then the system will inform you that it's going to safely debug it says just locally, not in the One Identity Manager Database. We're going to skip that now because I have already done that.
Switching to the Object Browser, I'm going to start my debugging session, and then the Object Browser will start Visual Studio and connect it to our Object Browser and set. Now I'm able to set breakpoints. I have already done that here. I'm setting a breakpoint for the execution of my template Person Internal Name, one for ADS Account Surname, and set two tables grip breakpoint, one on ADS Account On Saving, and one on Personal On Saved to demonstrate the execution order of that events. And then two process generation breakpoints, one for ADS Account Update event, and one Person.
What I'm going to do now is I'm going to change an object here. I'm going to change the last name of a person, and I'm pressing the top key. Because the Object Browser is using the object in the active mode, the execution template will be triggered right away. So person terminate into and get triggered because the last name has been changed and going to continue here. And then I'm back in the Object Browser. You can see that other columns have been changed, but this system without stopping missions to do because I don't have-- I didn't set any breakpoint there.
And I'm clicking On Saved here, and then the first interesting thing is that he stopped at the process generation for the update event of the first object. So first thing, learn the process generation will take place before the On Saved event of an object will be executed. You have to keep that in mind. Any object value changes you are doing in the On Saved script will not be considered during the process generation of that object. And again I'm pressing continue, and that as explained just seconds ago, the On Saved event will now be triggered.
And it can continue. And now all assigned objects or the templates of the earth and objects will be triggered. So in this case, my person has an ADS account assigned, and that's why the system now stops here at the configured breakpoint for ADS Account Surname. You can do some single step in here of course, and see if all the bays are set correctly. It's only used to fool the button features of Visual Studios here to look into my process flow here, and continue.
And now, I can see here at the On Saving event is triggered next, so if you want to change some values, or check some values prior to the process generation, you can do that in the On Saving script, and you can continue again. And see here that now the process generation of an update for ADS Account will be triggered. And we could take a look at that. And then this has been finished.
The database compiler creates a type-safe database model. These are auto-generated classes that map the current database model and include not just the oddest box, columns, and tables, but also your custom tables, columns, and configuration parameters. You may ask, "Why should I use it?" The main reason is to avoid typo induced runtime errors that are naturally hard to detect. You need proper end-to-end testing to detect them, and they are appearing late in the development process. And if you use a type-safe database model, the Database Compiler will complain, for example, if you mis-typed a column name or access the object properties using the wrong data type and so on. So in the end, it saves you precious development time.
How do I use a type-safe database model? How do we create typed wrapper object and collections? The first example here on this slide demonstrates how to create and save and type wrapper objects. In this case, I'm creating a new person object, So remember normally we do create I entity objects. Here this is a person, object directly. And you notice that you can directly specify here the properties-- .FirstName, .LastName .IsExternal. And all this has been created by the database compiler. And you notice as well that it can-- or that you need to specify the correct data types. So IsExternal-- this is not hey this is a Boolean property or the exadata, this should be a date, time, property.
The same is true for typed collection, so you do have typed rapid collections as well, so the contents will not be entity objects in that collection, but will be specific type object like a person object. And the sample here on the screen demonstrates how to create such a typed collection reusing your query object. So I'm querying from the table Person, I'm specifying a Where clause, and then, which is the interesting part, I'm creating a collection of Person objects here in the second line, and not Entity objects.
And then you can do something, and again, here-- and in the sample you can see the excess using direct properties like p.IsExternal, and you can see here that you do have access to the Entity object that lies beneath the typed rep objects using p.Entity dot, for example, Display here. In that case, you can fetch the Display property, or just typed wrapper object as well.
In addition to the typed wrapper object and collections, the database compiler creates what we call a typed database model. And these are classes that provide you typed access to table and column names, and the class that is going to be created called VI.DB.Model.Table and you can use it to avoid another source of typos in your code, and you can use them for accessing table names and column names.
And the first example here shows how to use a table name during the creation of an iEntity object, and Session.Source.CreateNew and then you can see the use of the new class Table.Person. So you can't mistype Person because it's maybe a bad example. It's not so hard to spell, but some other tables [INAUDIBLE] are more likely to be misspelled, so you can avoid that now.
The second example is using the column name here. In this case, it's an ISqlFormatter statement, and the column name can be accessed by using the same table class, using Table.Person, so the table name dot column name, in this case, IsInActive. You can see the use that [INAUDIBLE] ISqlFormatter string, f.Comparison.
Another option, or another source of typos is the spelling of the configuration parameter, and especially when it's a conversion parameter that has a deep [INAUDIBLE] and the parameter hierarchy. And we do have a class, which is called VI.DB.Model.Config, that helps you here.
And the example shows you the usage. And it's Config dot and then the complete conversion parameter hierarchy. In this example it's Config.TargetSystem.ADS.PersonExcludeList. Again, this helps you to avoid typos here. You just have to remember that the value that will be returned as always of type String and is read-only. So we have to keep that in mind, but it's the same if you use some other methods to exit the configuration parameters as well.
If you want to know more about type-safe database model and you want to take a look at some more examples, I encourage you to take a look at the SDK that is part of the product delivery. You can always access the SDK directly from the auto-run of [INAUDIBLE] manager. And the path here that is listed is the path inside of that SDK folder. it's ScriptSample, then sample section 03, Using database objects, and then sample 20 Typed Objects.
The covered use cases are listed here on the slide. I'm not going to read all of them, but it touches creating the object that's accessing Display name, [INAUDIBLE] name's OldValues and all that stuff. And we [INAUDIBLE] later on show in this video that we have integrated these samples as well in a new feature we call SDK at your fingertips.
One unknown unknown of what One Identity Manager is that there is a IdentityManager.PoSh PowerShell library available, and it's available on GitHub, and as I wandered into the open source project, the URL you'll see on the slide, and it supports CRUD operations for entities, it supports to load entity collections, trigger events, call customizer and object methods, and execute scripts. And when you deal with entities, it works with generic entities and with typed wrapper functions here in PowerShell, and coming up next is a short demonstration of this PowerShell family.
I'll do now a quick demo of the multifunctional of the Identity Manager PowerShell module, and first of all, you have to, of course, input the module into your PowerShell session. And then you have to provide the connection credentials. It's recommended to use the application's server connection, and this is what I'm doing here, and then specifying the applications of a ClientFactory.
This is just a demo thing here. I'm protecting my super-secret password using a credential object, and then specify the authentication module, a system user connection, in my case. And then comes the session creation against Identity Manager. And the PowerShell module then creates what we call a typed wrapper function for each of the tables in the system to allow you easier access to all the objects in the Identity Manager. And in the fully-installed system, there could be many of those tables, and therefore, does the commands that allow you to skip specific modules during creation, for example, if you don't want to create the typed wrapper functions for the SAP object, you can just specify this module to skip.
And since he first commanded the create-- generic entity creation commanded called new entity, you specify the type-- in this case, it's a person-- then you specify the properties. And so, just here-- when you take a look at the typed wrapper function, you get New-Person. You see the difference that you can specify all the properties of a person object as command-like parameters-- here is a first name, last name, and so on. And this is also fine, because we do have IntelliSense here in the PowerShell editor, just to decode and all of that nice and healthy things you expect from those full-blown objects.
So next thing, you can load entities, of course, generic commodity. Again, Get-Entity-- you can specify here either the parameter key or an XObjectKey. You have to specify the type-- it's person. The same for the typed wrapper function, it's called Get-Person. And specify here-- in this case, I specified an XObjectKey. And then you can do something with the object. For example, I just want to show or see the display name here, and that's it.
And one interesting thing to mention is that both type of commands- so the Get-Entity and Get-Typed-Wrapper function for this table-specific approach [INAUDIBLE]-- are working for single object or for multiple objects. So the next example here, Get-Person -ResultSize 5 -IsExternal 1, gets me the top 5 persons that have the external flex set. And the rest is just partial stuff for an output. [INAUDIBLE] particular with that, I'm just having three in my system here,
OK, so the next example is, you could do the same here. I'm just specifying Get-Person =LastName Doe =FirstName Pat. And I want to change a property. And I'm just doing naturally, like I would do-- here's my object. I'm having the property here, and I'm selling it to One Identity. And then the object has been saved. And here, now I'm just loading a department. I'm setting the foreign key. You would [INAUDIBLE] that department just here to d1. OK. So this is about changing objects.
So now, you can, of course, fire events for an entity using the partial module. But sometimes I do not know how the event is built, and for that, we do have a function, which is called Get-Event for an entity. I'm seeing all the events that I'm able to fire here at that object. And let's say CHECK_EXITDATE, sounds nice. And then you could invoke the event here using the Invoke-Event commandlet, CHECK_EXITDATE.
Then, of course, you can remove entities, and the same for typed wrapper function. This is your generic option-- Remove-Entity, specify the entity, and then there is an option parameter called -IgnoreDeleteDelay. This does the same like-- there's a similar option in the object layer. If you directly access it, that would ignore the delete delay that is configured for these type of objects so that the object will be deleted immediately.
OK, now, next thing. You can, of course, use pipeline object for this. So first commandlet here gets me entities of type Person where the last name is Doe and the first name is Sam, and then removes those persons. And remember, this Get-Entity commandlet is able to get more than one object at a time. So you may have seen that through [INAUDIBLE] elements was a [INAUDIBLE] So I've deleted more than one object with this commandlet.
And then, it's common practice to close the connection at the end. We're doing that now and that's it for my presentation.
Remember, we are still in the video called The Unknown Unknowns, and part of the unknown unknowns are the queries, the SQL queries the object is generating. And therefore, during the customization, you probably do not mind the queries and/or the queries you are writing as you should. And one easy thing to do is to use the SQL Formatter method UidComparison. We've seen that a lot and that's why I put that here in the video. And this method automatically creates non-Unicode SQL comparisons.
So why is that so important? If you take a look at the One Identity Manager data in this model, you will see that all the string columns are normally created using Unicode values, but the primary key and foreign key columns are not. So they're using standard ASCII-based string columns. And if you do create the wrong SQL statement, the SQL server would not be able to use all the created indexes, and so your query will be slow. And it's so easy to use the UidComparison method instead of using the normal comparison method and have to deal with all these options you have to set to generate the same statements.
And to help you checking your code, we created a consistency check called SQL Formatter usage test for UID columns, and it checks the existence of specific code sequence. So it's .Comparison open bracket quotation marks UID underline star. So if you take a look at the code sample seen on the slide, the first two are flagged by the consistency checks because they start with the same code snippet, but you have to be careful that this consistency check will not find all statements. Where you should use the UidComparison method in sample here is the last one, that will be not flagged by the consistency check because it's using the columnname variable instead of a fixed value that contains the UID underline.
Here are the screenshots from the work for how to activate this consistency check. In the consistency check dialog, you activate the SQL Formatter usage test for UID columns and then you run the consistency check. This is shown on the bottom window here. And then, if the check find something here, the error message is, Object CCC_UIDComparison should use UIDComparison. And you can click on the object itself and then you can see the code. And here it's in dialog script. And the samples that are generating the messages here, the warnings, are the same as shown before. So that's why it's got to be highlighted here.
Now I want to talk about some little things that are coming in the next version of One Identity Manager implementation and operation support. First, you will see a demonstration of the new Code Editor that supports the latest Visual Basic dialect and the C# version we are supporting in One Identity Manager. And the demonstration will also show you the thing that we call, or I call, SDK at your fingertips. Then we will talk a little bit about the REST-API enhancement and Application Server enhancements we are providing with the next version. And then, again, a demonstration about the new Job Queue Info and object property enhancement that should help you during the operation of the product. And at the end, I will show a long-wanted Launchpad surprise.
Our longtime customers asked us if it would be possible to update our code in order to support latest dialect of Visual Basic, and we're happy to announce that in the next version of One Identity Manager, we're delivering just that. In addition, we decided to come up with something we call complete SDK at your fingertips. And we decided to use the code snippet features we already had in the Code Editor and the product to do just that. And we'll take a look at that here.
We restructured the complete code snippets, and we added and enhanced a lot of these code snippets. Take a look at the object layer snippets. You can see here, on the first level, you get the very basics, so create an entity-- you can see here the explanations for these snippets, get an entity from the database, save an entity, and so on and so on.
But we didn't just stop there. So if you go down one level deeper into collections, we are dealing with specific options that are used very often for get a collection, paged type of collection, get a count of collections, so on and so on. And all of these were mostly available on the SDK, on the product delivery, and now all of these samples are here, right at your fingertips. And all the samples are using placeholder variable so you can add-- while you add them here to your code, you can replace it and adopt it to your needs, to your variables.
And there is a lot more we hadn't before in the SDK-- for example, if you take a look here at scripts. So if you ever wondered how to define a create assignment request method or a script that it can use in a create assignment request method, you're here in the right place. Just click it here and then the system creates for you the stuff that is needed to be called by a CreateAssignmentITShopOrder method.
And the same here. Let's go to the SQL Formatter screen. So the more complex SQL Formatter settings here are available as well, like, not just [INAUDIBLE] and/or comparisons, but-- as [INAUDIBLE] explained before in the Mind Your Queries section-- the UIDComparison that should be used while comparing UIDs, but there are others as well, like fix-value comparison, foreign-key comparisons, and so on and so on-- or date-difference comparisons. Some things that are not known by everybody, but now they're relatively easily available directly in the code.
Now, let's talk about the REST-API enhancements that are coming with version 8.2. We introduced a new endpoint to fetch the count of a collection only. So, up until now, you had to fetch a collection and then, on your client, you had identify the count of objects and this creates unnecessary network traffic, puts unnecessary pressure on the database and on the application. So that's why we implemented this enhancement based on an implementation partner request.
The second is also based on implementation partner requests. This is giving the script endpoint the option to return raw results. So this allows you to return pure JSON or pure XML results if you call in the script endpoint. And we introduce a new body parameter called returnRawResult for that.
And then, we edit the fault tolerant option to the time assignment endpoint and, to be specific, to the assignment add option. And there is a new Boolean query parameter called ignoreExisting. Up until now, if you tried to add an object that is already part of the assignment table, you will see an exception method. And you can avoid that using this new query parameter.
And we add an additional endpoint to set or delete session variables on the API branch. If you remember, this option to set or delete session variables was already present in the different parts of the application server-- now, it's part of the REST-API. And I'm explaining on the next slide why we have done that.
In the next version of One Identity Manager, you are able to turn off either the application server or the REST-API part of the application, so installation. This is a request we had seen from larger customers that do want to have more application servers, or they do need the specific applications of servers that should only handle the REST-API requests from a specific third-party application. And this is possible now, with the next version. And because of that, we provided the new session variable endpoint on the API part of the applications of implementation.
Another enhancement that is coming is that you do have the option to check the session certificate. We had that request from some customers. It's turned off internally by default to avoid to break existing installations, but new installations will have the option turned on in the web.config. And you have to keep that in mind, that system then checks the session certificate. Another option is that you can turn on or turn off the revocation check. And all of this is, again, configurable in the web.config of the application server.
I'm going to demonstrate some of the new features that are coming with Job Queue Info and the property grid inversion 8.2. You may notice here, in the processor parameters, that some of them are underlined. When I'm doing a right click on them, I have the options to show this object and the object [INAUDIBLE], or open this one up in the Synchronization Editor. And when I take a look at that, the system knows that this one is a synchronization repo, so we should see a synchronization repo, or I can show the object properties.
I'm opting to use the show me the repo in the Synchronization Editor. And, as you can see here, the system's opening up in Synchronization Editor, loading the current synchronization project, and opening up the synchronization repo at [INAUDIBLE]. I can see here that this change has changed the schema property company on the object [INAUDIBLE]. And here's the new value.
The same is true for data configuration. This is the synchronization workflow that has been used. Again, I'm opening this up in Synchronization Editor. You can see here, this is a provision workflow, and the same here. [INAUDIBLE] various set have been used here. You can see systems opening up the variables page. [INAUDIBLE] the assumptions we are having, and, of course, can open up the same here in the Object Browser, the property grid.
I'm going to demonstrate this one in another process step. In addition to the synchronization process steps, we also gave [INAUDIBLE] the ability to detect XObjectKeys. So if a parameter process task contains an XObjectKey, it will be underlined as well. I can do a right click here, again, and show me the object in the Object Browser. So Object Browser will be opened up, the person will be loaded-- in this case, it was a person object.
Going back to the Job Queue Info and show the object properties. So you have a-- this is a [INAUDIBLE] object property grid. And made two enhancements here, in regards to the primary key. So you can see here, if an object has more than one primary key or more than one primary key, you would see all primary keys here. And I'm [INAUDIBLE] here. So one click-- we're copying the primary key into my clipboard. Just left mouse click and-- switching back to the Object Browser to demonstrate this one here-- new SQL window and now I'm doing paste. You can see here, this is the primary key I've just copied.
Going back to Job Queue Info. Now I'm doing a shift click, going back here again, paste-- you get the same primary key in SQL notation. And the same here for-- if you click here, on the head of the primary key and left click and shift click-- I'm doing right and shift click-- and then here. You have the XObjectKey copied. By the way, for further usage, so I can invest-- use this and SQL queries to further invest in the signature-- your result. The same here is true for the ultimate primary key, for the ones that do know what their ultimate private key here is. Here, I'll copy this one, [INAUDIBLE] as well. And that's the short run through here for the enhancements.
Shortly after the introduction of our [INAUDIBLE] oriented Launchpad that eases the first steps of the configuration of the Identity Manager, our [INAUDIBLE] implementation partners asked us to add the additional option to start this tools of One Identity Manager directly from the Launchpad, so using Launchpad as single sign-on starter that would make the additional login into the separate tools unnecessary. And I'm happy to announce that, coming with the next version of One Identity Manager, we're delivering the new menu item tools. You can see here on the screenshot on the left-hand menu. And that would allow you to start, for example, the Object Browser without having to log into the system again.
This is the end of my video about the unknown unknowns of One Identity Manager for developers. I hope you enjoyed it and I hope you stay safe and take care. And bye bye.