サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Assigning PAM user groups to PAM user accounts in One Identity Manager

In One Identity Manager, PAM user groups can be assigned directly or indirectly to user accounts.

In the case of indirect assignment, employees and PAM user groups are classified in hierarchical roles. The number of PAM user groups assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If the employee has a PAM user account, this PAM user account is assigned the PAM user groups.

User groups can also be requested in the Web Portal. To do this, add employees to a shop as customers. All PAM user groups that are assigned to this shop as products can be requested by the customers. Requested PAM user groups are assigned to the employees after approval is granted.

You can use system roles to group PAM user groups together and assign them to employees as a package. You can create system roles that contain only PAM user groups. You can also group any number of company resources into a system role.

To react quickly to special requests, you can also assign the PAM user groups directly to PAM user accounts.

For detailed information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of PAM groups to PAM user accounts

In the case of indirect assignment, employees and PAM groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning PAM groups indirectly, check the following settings and modify them if necessary.

  1. Assignment of employees and PAM user groups is permitted for role classes (departments, cost centers, locations, or business roles).

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

    ClosedAllow assignments to role classes of departments, cost centers, locations, or roles

  2. Settings for assigning PAM user groups to PAM user accounts.

    • The PAM user account is labeled with the Groups can be inherited option.

    • The PAM user account is linked to an employee.

    • The PAM user account and the PAM user group belong to the same appliance.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of employees not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Assigning PAM user groups to departments, cost centers, and locations

Assign the PAM user groups to departments, cost centers, or locations so that the PAM user group can be assigned to PAM user accounts through these organizations.

To assign a group to departments, cost centers, or locations (non role-based login)

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select the group in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign groups to a department, cost center, or location (role-based login)

  1. In the Manager, select the Organizations > Departments category.

    - OR -

    In the Manager, select the Organizations > Cost centers category.

    - OR -

    In the Manager, select the Organizations > Locations category.

  2. Select the department, cost center, or location in the result list.

  3. Select the Assign PAM user groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Assigning PAM user groups to business roles

NOTE: This function is only available if the Business Roles Module is installed.

You assign the PAM user group to business roles, so that the PAM user group is assigned to PAM user accounts through these roles.

To assign a group to a business role (non role-based login)

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select the group in the result list.

  3. Select the Assign business roles task.

  4. In the Add assignments pane, select the role class and assign business roles.

    TIP: In the Remove assignments pane, you can remove assigned business roles.

    To remove an assignment

    • Select the business role and double-click .

  5. Save the changes.

To assign groups to a business role (non role-based login)

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the Assign PAM user accounts task.

    In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  4. Save the changes.
Related topics
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択