Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.0 LTS - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and employees Managing assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Configuring PAM access request policies

Access requests for assets, asset accounts, directory accounts, asset groups, and account groups can only be requested if the One Identity Manager enabled option is activated in the access request policy.

To configure the access request policy

  1. In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the Change main data task.

  4. On the General tab, check the One Identity Manager enabled option.

    • If this option is set, access requests can be requested for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

    • If this option is not set, is not possible to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

Related topics

Handling of PAM objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

  • Managing user accounts and employees

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized person, such as a manager.

  • Managing assignments of user groups

    When a group is assigned to an IT Shop shelf, the group can be requested by the customers of the shop in the Web Portal. The request undergoes a defined approval process. The group is not assigned until it has been approved by an authorized person.

    In the Web Portal, managers and administrators of organizations can assign groups to the departments, cost centers, or locations for which they are responsible. The groups are passed on to all persons who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, managers, and administrators of business roles can assign groups in the Web Portal to the business roles for which they are responsible. The groups are passed on to all persons who are members of these business roles.

    If the System Roles Module is available, supervisors of system roles can assign groups to the system roles in the Web Portal. The groups are passed on to all persons to whom these system roles are assigned.

  • Managing access requests to privileged objects

    Through the Identity & Access Lifecycle > Privileged access IT Shop shelf, you can request password and session requests for the privileged objects of a PAM system. The request undergoes a defined approval process. The owner of the privileged object for which you are requesting access approves the order. In the PAM system, a corresponding access request is made. If you were able to successfully create the access request, the user can log on to the PAM system and call the required password, or start the required session.

  • Attestation

    If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. The owners of privileged objects attest the possible user access to these privileged objects. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.

  • Governance administration

    If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check and resolve rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of groups to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the employees, user accounts, and their entitlements and risks.

For more information about the named topics, see Managing PAM user accounts and employees, Assigning PAM user groups to PAM user accounts in One Identity Manager, PAM access requests and refer to the following guides:

  • One Identity Manager Web Designer Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

Basic data for managing a Privileged Account Management system

To manage a Privileged Account Management system in One Identity Manager, the following basic data is relevant.

  • Account definitions

    One Identity Manager has account definitions for automatically allocating user accounts to employees. You can create account definitions for every target system. If an employee does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an employee.

    For more information, see Account definitions for PAM user accounts.

  • Password policies

    One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

    Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.

    For more information, see Password policies for PAM users.

  • Target system types

    Target system types are required for configuring target system comparisons. Tables with outstanding objects are maintained with the target system types and settings are configured for provisioning memberships and single objects synchronization. Target system types also map objects in the Unified Namespace.

    For more information, see Post-processing outstanding objects.

  • Target system managers

    A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all appliances in One Identity Manager.

    Define additional application roles if you want to limit the permissions for target system managers to individual appliances. The application roles must be added under the default application role.

    For more information, see Target system managers for PAM systems.

  • Servers

    In order to handle target system specific processes in One Identity Manager, the synchronization server and its server functionality must be declared.

    For more information, see Job server for PAM-specific process handling.

  • Owners of privileged objects

    One Identity Manager includes a standard application role for the owners of privileged objects such as PAM assets, PAM asset accounts or PAM directory accounts. The owners are included in the standard approval workflows as approvers and attestors.

    For more information, see PAM object owners.

Target system managers for PAM systems

A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all appliances in One Identity Manager.

Define additional application roles if you want to limit the permissions for target system managers to individual appliances. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the Privileged Account Management systems in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual PAM systems.

Table 30: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

  • Authorize employees as owners of privileged objects within their area of responsibility.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)

  2. Select the One Identity Manager Administration > Target systems > Administrators category.

  3. Select the Assign employees task.

  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration > Target systems > Privileged Account Management category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Privileged Account Management > Basic configuration data > Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual Privileged Account Management systems

  1. Log in to the Manager as a target system manager.

  2. Select the Privileged Account Management > Appliances category.

  3. Select the appliance in the result list.

  4. Select the Change main data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Privileged Account Management parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign employees to this application role who are permitted to edit the system in One Identity Manager.

Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione