Chat now with support
Chat mit Support

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Adjusting the PowerShell definition of the One Identity Safeguard connector

CAUTION: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

IMPORTANT: The connector definition should only be customized to temporarily work around problems if needed.

IMPORTANT: A customized connection definition is not overwritten when a new version of the connector or an update to the connector definition is released. No patches are applied.

If you customize the connector definition, you must manually apply your changes to any new versions of the connector or updated connector definitions, as required.

You can use this setting to adjust the definition used by the One Identity Safeguard connector.

To customize the connector definition

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Click Edit connection.

    This starts the system connection wizard.

  4. Enable Show advanced options on the system connection wizard's start page.

  5. Customize the connector definition as required on the Advanced options page.

    1. Select Customize connector definition.

    2. Edit the definition according to the instructions given by the support desk staff. You take the following action:

      • Choose to load the definition from a file.

      • Use to test the definition for errors.

      • Choose to display the differences to the standard version.

  6. Follow the system connection wizard further instructions.

  7. Save the changes.

Updating schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compression and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

    - OR -

    Select the Configuration > One Identity Manager connection category.

  3. Select the General view and click Update schema.

  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Mappings category.

  3. Select a mapping in the navigation view.

    Opens the Mapping Editor. For more information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Speeding up synchronization with revision filtering

Synchronization with a One Identity Safeguard appliance does not support revision filtering.

Configuring the provisioning of memberships

Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system may be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved as an object property in list form in the target system.

    Example: List of users Users property of a PAM user groups (UserGroup)

  • Memberships can be modified in either of the connected systems.

  • A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Target system types category.

  2. In the result list, select the Privileged Account Management target system type.

  3. Select the Configure tables for publishing task.

  4. Select the assignment tables that you want to set up for single provisioning. Multi-select is possible.

  5. Click Merge mode.

    NOTE:

    • This option can only be enabled for assignment tables that have a base table with a XDateSubItem column.

    • Assignment tables that are grouped together in a virtual schema property in the mapping must be marked identically.

  6. Save the changes.

For each assignment table labeled like this, the changes made in One Identity Manager are saved in a separate table. Therefore, only newly added and deleted assignments are processed. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and not the entire members list.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

You can restrict single provisioning of memberships with a condition. Once merge mode has been disabled for a table, the condition is deleted. Tables that have had the condition deleted or edited are marked with the following icon: . You can restore the original condition at any time.

To restore the original condition

  1. Select the auxiliary table for which you want to restore the condition.

  2. Right-click on the selected row and select the Restore original values context menu item.

  3. Save the changes.

NOTE: To create the reference to the added or deleted assignments in the condition, use the i table alias.

Example of a condition on the PAGUserInUsrGroup assignment table:

exists (select top 1 1 from PAGUsrGroup g
where g.UID_PAGUsrGroup = i.UID_PAGUsrGroup
and <limiting condition>)

For more information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen