Initially, approvers of access request policies automatically become owners of PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups and PAM account groups. This assignment only takes place if an access request policy can be determined for a PAM object.
-
For each access request policy, a new application role is created for the owner under the Privileged Account Governance | Asset and account owners application role.
-
The role approvers of an access request policy are added to the application role.
-
The application is assigned to the PAM asserts, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups within the policy's scope.
-
If there are several access policies defined for a PAM object, the valid application roles are determined through the access request policy's entitlements. The PAM object owners are determined by the following order:
-
Application roles of access request policies with low priority entitlements
-
Application roles of access request policies with the lowest priority
-
NOTE:
-
An application role for owners is only assigned automatically to a PAM object if an application role is not already assigned to the PAM object. Any existing assignment is not changed.
-
Owner are only determined initially. Changes to the role approver of an access request policy are not automatically added to the associated application role. Change the employee assigned to the application manually, if required.
-
Owners cannot be determined for access request policies that are automatically approved in One Identity Safeguard. In this case, assign employees manually to the application role.