Reports about PAM objects
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for PAM systems.
Table 27: Data quality target system report
Show overview |
User account |
This report shows an overview of the user account and the assigned permissions. |
Show overview including origin |
User account |
This report shows an overview of the user account and origin of the assigned permissions. |
Show overview including history |
User account |
This report shows an overview of the user accounts including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
Overview of all assignments |
User group |
This report finds all roles containing employees who have the selected system entitlement. |
Show overview |
User group |
This report shows an overview of the system entitlement and its assignments. |
Show overview including origin |
User group |
This report shows an overview of the system entitlement and origin of the assigned user accounts. |
Show overview including history |
User group |
This report shows an overview of the system entitlement and including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
Show entitlement drifts |
Appliance |
This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager. |
Show user accounts overview (incl. history) |
Appliance |
This report returns all the user accounts with their permissions including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
Show user accounts with an above average number of system entitlements |
Appliance |
This report contains all user accounts with an above average number of system entitlements. |
Show employees with multiple user accounts |
Appliance |
This report shows all the employees that have multiple user accounts. The report contains a risk assessment. |
Show system entitlements overview (incl. history) |
Appliance |
This report shows the system entitlements with the assigned user accounts including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
Overview of all assignments |
Appliance |
This report finds all roles containing employees with at least one user account in the selected target system. |
Show unused user accounts |
Appliance |
This report contains all user accounts, which have not been used in the last few months. |
Show orphaned user accounts |
Appliance |
This report shows all user accounts to which no employee is assigned. |
Table 28: Additional reports for the target system
PAM user account and group administration |
This report contains a summary of user account and group distribution in all PAM appliances. You can find the report in the My One Identity Manager > Target system overviews category. |
Data quality summary for PAM user accounts |
This report contains different evaluations of user account data quality in all PAM appliances. You can find the report in the My One Identity Manager > Data quality analysis category. |
PAM access requests
In One Identity Manager, you can request access requests for assets, asset accounts, directory accounts, asset groups, and account groups in a PAM system. For requesting an access request, the following products are available in IT Shop:
-
Password release request: To request passwords for accounts in a PAM system.
-
SSH key request: To requests SSH keys for accounts in a PAM system.
-
SSH session request: To request SSH sessions for assets in a PAM system.
-
Remote Desktop session request: To request remote desktop sessions for assets in a PAM system.
-
Telnet session request: To request Telnet sessions for assets in a PAM system.
The access requests are requested in the Web Portal. After the request is approved, a corresponding access request is created in the PAM system. To check out the requested password or session, the user logs on to the PAM system.
For more information about configuring the IT Shop, see the One Identity Manager IT Shop Administration Guide. For more information about requesting access requests in Web Portal, please refer to the One Identity Manager Web Designer Web Portal User Guide.
Detailed information about this topic
System requirements for requesting PAM access requests
The access requests in the PAM system are created in process and script processing. The Job server must have the same configuration as the synchronization server (in terms of the installed software and the entitlements and certificates of the user account). Use the synchronization server.
In One Identity Safeguard, the following system prerequisites must be guaranteed:
-
The application-to-application service is enabled.
-
An application with the following properties has been registered and activated:
-
Name: One Identity Manager
-
Certificate user: Users for access to the One Identity Safeguard appliance (synchronization user)
-
Access request broker: Activated
At least one user or user group for which One Identity Safeguard will determine the access must be assigned to the access request broker.
This list is updated when access requests are created by the One Identity Manager.
-
To generate valid access requests whenever possible, do not set time restrictions on the entitlements and access request policies.
For more information about setting up the application to application service in One Identity Safeguard and configuring the entitlements and access request policies, see the One Identity Safeguard Administration Guide.
Related topics
Requesting PAM access requests
By requesting these standard products, access requests to privileged objects of a PAM system can be created. The products are multi-request resources
Table 29: Default objects for requesting access requests
Products |
Password release request: To request passwords for accounts in a PAM system.
SSH key request: To requests SSH keys for accounts in a PAM system.
SSH session request: To request SSH sessions for assets in a PAM system.
Remote Desktop session request: To request remote desktop sessions for assets in a PAM system.
Telnet session request: To request Telnet sessions for assets in a PAM system.
|
Service category: |
Privileged access requests |
Shelf |
Identity & Access Lifecycle | Privileged access |
Approval procedures: |
PG - owners of the requested privileged access request |
Approval policies/approval workflows |
Approval of privileged access requests |
The requester provides information about the required access request, such as the product and asset or account to be accessed, together with the time period for the access. The owner of the privileged object for which you are requesting access approves the order. In the PAM system, a corresponding access request is made.
In the request, it is noted whether it was possible to create the access request in the PAM system and whether the access request was approved in the PAM system. The status of an access request is checked at regular intervals in the PAM system by means of the Read status of privileged access requests schedule.
If the access request has been approved, the user can log on to the PAM system and retrieve the required password, or start the required session.
Prerequisites
-
The requester's PAM user account has the entitlement for requesting the access request.
-
In the access request policy, the One Identity Manager enabled option is activated. This allows you to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the request access policy's scope.
-
An application role under Privileged Account Governance | Assets and account owners is assigned to the requestable assets, asset accounts, directory accounts, asset groups, and account groups as the owner.
-
Employees are assigned to the application roles.
-
The Read status of privileged access requests schedule is enabled. Adjust the schedule in the Designer if necessary.
- The URL of the PAM web application is entered on the appliance. In this way, the users can log in to the PAM System from the Web Portal and retrieve the password or start a session.
For more information about configuring the One Identity Manager IT Shop Administration Guide, see the IT Shop. For more information about requesting access requests in the Web Portal, see the One Identity Manager Web Designer Web Portal User Guide.
Related topics