지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Editing PAM Job servers

To edit a Job server and its functions

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Server category.

  2. Select the Job server entry in the result list.

  3. Select the Change main data task.

  4. Edit the Job server's main data.

  5. Select the Assign server functions task and specify server functionality.

  6. Save the changes.
Detailed information about this topic

General main data of Job servers

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

NOTE: More properties may be available depending on which modules are installed.

Table 31: Job server properties

Property

Meaning

Server

Job server name.

Full server name

Full server name in accordance with DNS syntax.

Syntax:

<Name of servers>.<Fully qualified domain name>

Target system

Computer account target system.

Language

Language of the server.

Server is cluster

Specifies whether the server maps a cluster.

Server belongs to cluster

Cluster to which the server belongs.

NOTE: The Server is cluster and Server belongs to cluster properties are mutually exclusive.

IP address (IPv6)

Internet protocol version 6 (IPv6) server address.

IP address (IPv4)

Internet protocol version 4 (IPv4) server address.

Copy process (source server)

Permitted copying methods that can be used when this server is the source of a copy action. At present, only copy methods that support the Robocopy and rsync programs are supported.

If no method is given, the One Identity Manager Service determines the operating system of the server during runtime. Replication is then performed with the Robocopy program between servers with a Windows operating system or with the rsync program between servers with a Linux operating system. If the operating systems of the source and destination servers differ, it is important that the right copy method is applied for successful replication. A copy method is chosen that supports both servers.

Copy process (target server)

Permitted copying methods that can be used when this server is the destination of a copy action.

Coding

Character set coding that is used to write files to the server.

Parent Job server

Name of the parent Job server.

Executing server

Name of the executing server. The name of the server that exists physically and where the processes are handled.

This input is evaluated when the One Identity Manager Service is automatically updated. If the server is handling several queues, the process steps are not supplied until all the queues that are being processed on the same server have completed their automatic update.

Queue

Name of the queue to handle the process steps. The process steps are requested by the Job queue using this queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

Server operating system

Operating system of the server. This input is required to resolve the path name for replicating software profiles. The values Win32, Windows, Linux, and Unix are permitted. If no value is specified, Win32 is used.

Service account data

One Identity Manager Service user account information. In order to replicate between non-trusted systems (non-trusted domains, Linux server), the One Identity Manager Service user information has to be declared for the servers in the database. This means that the service account, the service account domain, and the service account password have to be entered for the server.

One Identity Manager Service installed

Specifies whether a One Identity Manager Service is installed on this server. This option is enabled by the QBM_PJobQueueLoad procedure the moment the queue is called for the first time.

The option is not automatically removed. If necessary, you can reset this option manually for servers whose queue is no longer enabled.

Stop One Identity Manager Service

Specifies whether the One Identity Manager Service has stopped. If this option is set for the Job server, the One Identity Manager Service does not process any more tasks.

You can make the service start and stop with the appropriate administrative permissions in the Job Queue Info program. For more information, see the One Identity Manager Process Monitoring and Troubleshooting Guide.

No automatic software update

Specifies whether to exclude the server from automatic software updating.

NOTE: Servers must be manually updated if this option is set.

Software update running

Specifies whether a software update is currently running.

Server function

Server functionality in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

Related topics

Specifying server functions

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

NOTE: More server functions may be available depending on which modules are installed.
Table 32: Permitted server functions

Server function

Remark

Update server

This server automatically updates the software on all the other servers. The server requires a direct connection to the database server that One Identity Manager database is installed on. It can run SQL tasks.

The server with the One Identity Manager database installed on it is labeled with this functionality during initial installation of the schema.

SQL processing server

It can run SQL tasks. The server requires a direct connection to the database server that One Identity Manager database is installed on.

Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.

CSV script server

This server can process CSV files using the ScriptComponent process component.

One Identity Manager Service installed

Server on which a One Identity Manager Service is installed.

SMTP host

Server from which One Identity Manager Service sends email notifications. Prerequisite for sending mails using One Identity Manager Service is SMTP host configuration.

Default report server

Server on which reports are generated.

One Identity Safeguard connector

Server on which the One Identity Safeguard connector is installed. This server synchronizes the One Identity Safeguard target system.

Related topics

Configuration parameters for managing a Privileged Account Management system

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 33: Configuration parameters for synchronizing a Privileged Account Management system

Configuration parameters

Meaning if Set

TargetSystem | PAG

Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | PAG | Accounts

Allows configuration of PAM user account data.

TargetSystem | PAG | Accounts | InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo

Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem | PAG | DefaultAddress configuration parameter.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | PAG | Accounts | MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | PAG | Accounts | PrivilegedAccount

Allows configuration of privileged user account settings.

TargetSystem | PAG | Accounts | TransferJPegPhoto

Specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | PAG | PersonAutoDefault

Mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | PAG | PersonAutoDisabledAccounts

Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | PAG | PersonAutoFullsync

Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | PAG | PersonExcludeList

List of all user accounts that must not be automatically assigned to employees. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

TargetSystem | PAG | UserObjectAccessThreshold

Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.

TargetSystem | PAG | HighRiskIndexThreshold

Risk index values higher than this threshold are considered high. Default is 0.5.

QER | ITShop | AutoPublish | PAGUsrGroup

Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | PAGUsrGroup | ExcludeList

List of all PAM user groups that must not be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Example: .*Administrator.*|.*Admins|.*Operators

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택