Converse agora com nosso suporte
Chat com o suporte

Identity Manager 8.1.5 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Executing synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

Specifying server functions

NOTE: All editing options are also available in the Designer under Base Data | Installation | Job server.

The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

NOTE: More server functions may be available depending on which modules are installed.
Table 34: Permitted server functions

Server function

Remark

Update server

This server automatically updates the software on all the other servers. The server requires a direct connection to the database server that One Identity Manager database is installed on. It can run SQL tasks.

The server with the One Identity Manager database installed on it is labeled with this functionality during initial installation of the schema.

SQL processing server

It can run SQL tasks. The server requires a direct connection to the database server that One Identity Manager database is installed on.

Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.

CSV script server

This server can process CSV files using the ScriptComponent process component.

One Identity Manager Service installed

Server on which a One Identity Manager Service is installed.

SMTP host

Server from which One Identity Manager Service sends email notifications. Prerequisite for sending mails using One Identity Manager Service is SMTP host configuration.

Default report server

Server on which reports are generated.

One Identity Safeguard connector

Server on which the One Identity Safeguard connector is installed. This server synchronizes the One Identity Safeguard target system.

Related topics

Target system managers for PAM systems

A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who are permitted to edit all appliances in One Identity Manager.

Define additional application roles if you want to limit the edit permissions for target system managers to individual appliances. The application roles must be added under the default application role.

For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers

  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the Privileged Account Management systems in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual PAM systems.

Table 35: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

  • Authorize employees as owners of privileged objects within their area of responsibility.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)
  2. Select the One Identity Manager Administration | Target systems | Administrators category.
  3. Select the Assign employees task.
  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration | Target systems | Privileged Account Management category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Privileged Account Management | Basic configuration data | Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual Privileged Account Management systems

  1. Log in to the Manager as a target system manager.

  2. Select the Privileged Account Management | Appliances category.

  3. Select the appliance in the result list.

  4. Select the Change master data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Privileged Account Management parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.

  7. Assign employees to this application role who are permitted to edit the system in One Identity Manager.

Related topics

Configuration parameters for the management of a Privileged Account Management system

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 36: Configuration parameters for synchronizing a Privileged Account Management system

Configuration parameter

 Meaning if Set

TargetSystem | PAG

Preprocessor relevant configuration parameters for controlling the model components for the administration of Privileged Account Management systems. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

TargetSystem | PAG | Accounts

Parameter for configuring PAM user account data.

TargetSystem | PAG | Accounts | InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo

Specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/role, employee’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem | PAG | DefaultAddress configuration parameter.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to provide users with the login data for their user accounts. The Employee - new user account created mail template is used.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

This configuration parameter contains the name of the mail template sent to provide users with information about their initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | PAG | Accounts | MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | PAG | Accounts | PrivilegedAccount

This configuration parameter allows configuration of settings for privileged user accounts.

TargetSystem | PAG | Accounts | TransferJPegPhoto

This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem | PAG| DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem | PAG | PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | PAG | PersonAutoDisabledAccounts

This configuration parameter specifies whether employees are automatically assigned to disabled user accounts. User accounts do not obtain an account definition.

TargetSystem | PAG | PersonAutoFullsync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem | PAG | PersonExcludeList

List of all user accounts for which automatic employee assignment should not take place. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Default project template for One Identity Safeguard

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The template uses mappings for the following schema types.

Table 37: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard Table in the One Identity Manager Schema
Appliance PAGAppliance
IdentityProvider PAGIdentityProvider

AuthenticationProvider

PAGAuthProvider

User PAGUser
UserGroup PAGUsrGroup
Entitlement PAGEntl
AccessRequestPolicy PAGReqPolicy
AccountGroup PAGAccGroup
Asset PAGAsset
AssetAccount PAGAstAccount
AssetGroup PAGAstGroup
Directory PAGDirectory
DirectoryAccount PAGDirAccount
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação