Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.0 LTS - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and employees Managing assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Configuration parameters for managing a Privileged Account Management system

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 33: Configuration parameters for synchronizing a Privileged Account Management system

Configuration parameters

Meaning if Set

TargetSystem | PAG

Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | PAG | Accounts

Allows configuration of PAM user account data.

TargetSystem | PAG | Accounts | InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo

Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem | PAG | DefaultAddress configuration parameter.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | PAG | Accounts | MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | PAG | Accounts | PrivilegedAccount

Allows configuration of privileged user account settings.

TargetSystem | PAG | Accounts | TransferJPegPhoto

Specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | PAG | PersonAutoDefault

Mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | PAG | PersonAutoDisabledAccounts

Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | PAG | PersonAutoFullsync

Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | PAG | PersonExcludeList

Listing of all user account without automatic employee assignment. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

TargetSystem | PAG | UserObjectAccessThreshold

Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.

TargetSystem | PAG | HighRiskIndexThreshold

Risk index values higher than this threshold are considered high. Default is 0.5.

QER | ITShop | AutoPublish | PAGUsrGroup

Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | PAGUsrGroup | ExcludeList

List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Example: .*Administrator.*|.*Admins|.*Operators

Default project template for One Identity Safeguard

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard Table in the One Identity Manager Schema
Appliance PAGAppliance
IdentityProvider PAGIdentityProvider

AuthenticationProvider

PAGAuthProvider

User PAGUser
UserGroup PAGUsrGroup
Entitlement PAGEntl
AccessRequestPolicy PAGReqPolicy
AccountGroup PAGAccGroup
Asset PAGAsset
AssetAccount PAGAstAccount
AssetGroup PAGAstGroup
Directory PAGDirectory
DirectoryAccount PAGDirAccount

Editing One Identity Safeguard system objects

The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.

Table 35: Methods available for editing schema types

Schema type

Read

Paste

Delete

Refresh

Appliance (Appliance)

Yes

No

No

No

User account (User)

Yes

Yes

Yes

Yes

User group (UserGroup)

Yes

No

No

Yes

Identity provider IdentityProvider

Yes

No

No

No

Authentication provider (AuthenticationProvider)

Yes

No

No

No

Directory

Yes

No

No

No

Directory account

(DirectoryAccount)

Yes

No

No

No

Asset (Asset)

Yes

No

No

No

Account (AssetAccount)

Yes

No

No

No

Asset group (AssetGroup)

Yes

No

No

No

Account group (AccountGroup)

Yes

No

No

No

Entitlement (Entitlement)

Yes

No

No

No

Access request policy (AccessRequestPolicy)

Yes

No

No

No

One Identity Safeguard connector settings

The following settings are configured for the system connection with the One Identity Safeguard connector.

Table 36: One Identity Safeguard connector settings

Setting

Description

Appliance display name

Display name of the appliance.

Variable: CP_ApplianceDisplay

System identifier

Unique identifier for identifying the appliance.

Variable: CP_ApplianceID

CAUTION: The system identifier must describe the appliance uniquely. Appliances are differentiated on the basis of the system identifier. If you use an identifier more than once for different appliances, it can cause errors and loss of data.

Always connect to the primary cluster node

This option is automatically set if a One Identity Safeguard cluster is detected when the connection is tested. If you use a cluster of multiple One Identity Safeguard appliances, this option should be enabled.

Variable: CP_ConnectPrimaryNode

Appliance host name or IP

Host name or IP address of the appliance. If you use a cluster of multiple One Identity Safeguard appliances, enter the primary appliance here.

Variable: CP_ApplianceHost

Trusted certificate thumbprint

Thumbprint of the trusted certificate that is used by the synchronization user and the user account of the One Identity Manager Service.

Variable: CP_CertificateThumbprint

Ignore SSL connection errors

You should only activate this option for test purposes, because this may lead to potential trusting of insecure connections.

Variable: CP_IgnoreSSLErrors

Default: False

Cluster IPv4 addresses

Semicolon delimited list of IPv4 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv4Addresses

Cluster IPv6 addresses

Semicolon delimited list of IPv6 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv6Addresses

Customize connector definition

You can use this setting to adjust the definition used by the connector.

IMPORTANT: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

NOTE: A customized connection definition is not overwritten by default and must be made with careful consideration.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione