Identity Manager 9.2 - Administration Guide for Privileged Account Governance

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

NOTE: More server functions may be available depending on which modules are installed.

Table 32: Permitted server functions
Server function	Remark
Update server	This server automatically updates the software on all the other servers. The server requires a direct connection to the database server that One Identity Manager database is installed on. It can run SQL tasks. The server with the One Identity Manager database installed on it is labeled with this functionality during initial installation of the schema.
SQL processing server	It can run SQL tasks. The server requires a direct connection to the database server that One Identity Manager database is installed on. Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.
CSV script server	This server can process CSV files using the ScriptComponent process component.
One Identity Manager Service installed	Server on which a One Identity Manager Service is installed.
SMTP host	Server from which One Identity Manager Service sends email notifications. Prerequisite for sending mails using One Identity Manager Service is SMTP host configuration.
Default report server	Server on which reports are generated.
One Identity Safeguard connector	Server on which the One Identity Safeguard connector is installed. This server synchronizes the One Identity Safeguard target system.

Related topics

General main data of Job servers

Configuration parameters for managing a Privileged Account Management system

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 33: Configuration parameters for synchronizing a Privileged Account Management system
Configuration parameters	Meaning if Set
TargetSystem \| PAG	Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| PAG \| Accounts	Allows configuration of PAM user account data.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo	Identity that receives the email with the random generated password (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem \| PAG \| DefaultAddress configuration parameter.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.
TargetSystem \| PAG \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.
TargetSystem \| PAG \| Accounts \| PrivilegedAccount	Allows configuration of privileged user account settings.
TargetSystem \| PAG \| Accounts \| TransferJPegPhoto	Specifies whether changes to the identity's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when an identity's main data is changed.
TargetSystem \| PAG\| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| PAG \| PersonAutoDefault	Mode for automatic identity assignment for user accounts added to the database outside synchronization.
TargetSystem \| PAG \| PersonAutoDisabledAccounts	Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| PAG \| PersonAutoFullsync	Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.
TargetSystem \| PAG \| PersonExcludeList	Listing of all user account without automatic identity assignment. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| PAG \| UserObjectAccessThreshold	Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.
TargetSystem \| PAG \| HighRiskIndexThreshold	Risk index values higher than this threshold are considered high. Default is 0.5.
QER \| ITShop \| AutoPublish \| PAGUsrGroup	Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
QER \| ITShop \| AutoPublish \| PAGUsrGroup \| ExcludeList	List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation. Example: .Administrator.\|.Admins\|.Operators

Default project template for One Identity Safeguard

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard	Table in the One Identity Manager Schema
Appliance	PAGAppliance
IdentityProvider	PAGIdentityProvider
AuthenticationProvider	PAGAuthProvider
User	PAGUser
UserGroup	PAGUsrGroup
Entitlement	PAGEntl
AccessRequestPolicy	PAGReqPolicy
AccountGroup	PAGAccGroup
Asset	PAGAsset
AssetAccount	PAGAstAccount
AssetGroup	PAGAstGroup
Directory	PAGDirectory
DirectoryAccount	PAGDirAccount
AuditLog	PAGAuditLog
Partition	PAGPartition

Editing One Identity Safeguard system objects

The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.

Table 35: Methods available for editing schema types
Schema type	Read	Paste	Delete	Refresh
Appliance (Appliance)	Yes	No	No	No
User account (User)	Yes	Yes	Yes	Yes
User group (UserGroup)	Yes	No	No	Yes
Identity provider IdentityProvider	Yes	No	No	No
Authentication provider (AuthenticationProvider)	Yes	No	No	No
Directory	Yes	No	No	No
Directory account (DirectoryAccount)	Yes	No	No	No
Asset (Asset)	Yes	No	No	No
Account (AssetAccount)	Yes	No	No	No
Asset group (AssetGroup)	Yes	No	No	No
Account group (AccountGroup)	Yes	No	No	No
Entitlement (Entitlement)	Yes	No	No	No
Access request policy (AccessRequestPolicy)	Yes	No	No	No
Audit logs (AuditLog)	Yes	No	No	No
Partitions (Partition)	Yes	No	No	No

Configuration parameters	Meaning if Set
TargetSystem \| PAG	Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| PAG \| Accounts	Allows configuration of PAM user account data.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo	Identity that receives the email with the random generated password (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem \| PAG \| DefaultAddress configuration parameter.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.
TargetSystem \| PAG \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.
TargetSystem \| PAG \| Accounts \| PrivilegedAccount	Allows configuration of privileged user account settings.
TargetSystem \| PAG \| Accounts \| TransferJPegPhoto	Specifies whether changes to the identity's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when an identity's main data is changed.
TargetSystem \| PAG\| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| PAG \| PersonAutoDefault	Mode for automatic identity assignment for user accounts added to the database outside synchronization.
TargetSystem \| PAG \| PersonAutoDisabledAccounts	Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| PAG \| PersonAutoFullsync	Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.
TargetSystem \| PAG \| PersonExcludeList	Listing of all user account without automatic identity assignment. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| PAG \| UserObjectAccessThreshold	Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.
TargetSystem \| PAG \| HighRiskIndexThreshold	Risk index values higher than this threshold are considered high. Default is 0.5.
QER \| ITShop \| AutoPublish \| PAGUsrGroup	Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
QER \| ITShop \| AutoPublish \| PAGUsrGroup \| ExcludeList	List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation. Example: .Administrator.\|.Admins\|.Operators

Selecione seu produto:

Para podermos atendê-lo melhor, informe o Propósito de seu chat:

Soluções recomendadas para seu problema

Identity Manager 9.2 - Administration Guide for Privileged Account Governance

Specifying server functions

Related topics

Configuration parameters for managing a Privileged Account Management system

Default project template for One Identity Safeguard

Editing One Identity Safeguard system objects