Chat now with support
Chat mit Support

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

PAM directories

Directories represent external target system, for example Active Directory or LDAP. If the Active Directory environment or the LDAP environment is imported into One Identity Manager, you can create directory users in One Identity Manager. Directory users and directory groups are linked to the relevant Active Directory objects and LDAP objects.

Directories are imported into the One Identity Manager database during synchronization. You cannot edit the properties of directories. Changes to the object properties of individual directories can be re-imported by single object synchronization.

To display the properties of a directory

  1. In the Manager, select the Privileged Account Management > Appliances > <appliance> > Directories category.

  2. Select the directory in the result list.

  3. Select the Change main data task.

For a directory, you see an overview of the user accounts, user groups, and the directory accounts associated with the directory.

To view an overview of a directory

  1. In the Manager, select the Privileged Account Management > Appliances > <appliance> > Directories category.

  2. Select the directory in the result list.

  3. Select the PAM directory overview task.

Related topics

PAM entitlements

An entitlement is a set of access request policies that ensures only authorized users can access the system. An entitlement usually groups together a set of permissions that are required to fulfill a specific task.

An entitlement defines which users are authorized to request passwords for accounts or sessions for assets as part of the defined access request policies.

Entitlements are imported into the One Identity Manager database during synchronization. You cannot edit the properties of entitlements. Changes to the object properties of individual entitlements can be re-imported by single object synchronization.

To display the properties of an entitlement

  1. In the Manager, select the Privileged Account Management > Appliances > <appliance> > Entitlements category.

  2. Select the entitlement in the result list.

  3. Select the Change main data task.

For an entitlement, you see an overview of the user accounts, user groups, and the access request policies associated with the entitlement.

To view an overview of an entitlement

  1. In the Manager, select the Privileged Account Management > Appliances > <appliance> > Entitlements category.

  2. Select the entitlement in the result list.

  3. Select the PAM entitlement overview task.

Related topics

PAM access request policies

An access request policy defines:

  • The scope (meaning, which assets, asset groups, asset accounts, directory accounts, or account groups).
  • The access type (password, SSH or remote desktop, Telnet).
  • The rules for requesting passwords, for example, the duration or how many approvals are required.

Access request policies are imported into the One Identity Manager database during synchronization. Changes to the object properties of individual access request policies can be re-imported by single object synchronization.

To display the properties of an access request policy

  1. In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the Change main data task.

For an access request policy, will see an overview of the scope of the access request policy and the entitlements associated with the access request policy.

To obtain an overview of an access request policy

  1. In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the PAM access request policy overview task.

Related topics

Reports about PAM objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for PAM systems.

Table 27: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

User group

This report finds all roles containing employees who have the selected system entitlement.

Show overview

User group

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

User group

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

User group

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show entitlement drifts

Appliance

This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager.

Show user accounts overview (incl. history)

Appliance

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts with an above average number of system entitlements

Appliance

This report contains all user accounts with an above average number of system entitlements.

Show employees with multiple user accounts

Appliance

This report shows all the employees that have multiple user accounts. The report contains a risk assessment.

Show system entitlements overview (incl. history)

Appliance

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Appliance

This report finds all roles containing employees with at least one user account in the selected target system.

Show unused user accounts

Appliance

This report contains all user accounts, which have not been used in the last few months.

Show orphaned user accounts

Appliance

This report shows all user accounts to which no employee is assigned.

Table 28: Additional reports for the target system

Report

Description

PAM user account and group administration

This report contains a summary of user account and group distribution in all PAM appliances. You can find the report in the My One Identity Manager > Target system overviews category.

Data quality summary for PAM user accounts

This report contains different evaluations of user account data quality in all PAM appliances. You can find the report in the My One Identity Manager > Data quality analysis category.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen