Chat now with support
Chat with Support

Identity Manager 8.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Automatically determining the owners

Initially, approvers of access request policies automatically become owners of PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups and PAM account groups. This assignment only takes place if an access request policy can be determined for a PAM object.

  • For each access request policy, a new application role is created for the owner under the Privileged Account Governance | Asset and account owners application role.

  • The role approvers of an access request policy are added to the application role.

  • The application is assigned to the PAM asserts, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups within the policy's scope.

  • If there are several access policies defined for a PAM object, the valid application roles are determined through the access request policy's entitlements. The PAM object owners are determined by the following order:

    1. Application roles of access request policies with low priority entitlements

    2. Application roles of access request policies with the lowest priority

NOTE:

  • An application role for owners is only assigned automatically to a PAM object if an application role is not already assigned to the PAM object. Any existing assignment is not changed.

  • Owner are only determined initially. Changes to the role approver of an access request policy are not automatically added to the associated application role. Change the employee assigned to the application manually, if required.

  • Owners cannot be determined for access request policies that are automatically approved in One Identity Safeguard. In this case, assign employees manually to the application role.

Related topics

Manually specifying employees as PAM object owners

In addition to automatically determining the owners, you can specify the owners manually.

To manually specify employees as owners

  1. Log in to Manager as target system manager.

  2. In the Privileged Account Management > Basic configuration data > Asset and account owners category, select the application role.

  3. Select the Assign employees task.

  4. In the Add assignments pane, add employees.

    TIP: In the Remove assignments pane, you can remove assigned employees.

    To remove an assignment

    • Select the employee and double-click .

  5. Save the changes.
Related topics

Manually specifying application roles for PAM object owners

Application roles are created when owner are determined automatically. You can specify further application roles manually.

To specify an application role for a PAM object owner

  1. In the Manager, select one of the following filters in the Privileged Account Management > Appliances > <appliance> > Privileged objects category.

    • To specify an application role for an asset, select Assets.

    • To specify an application role for an asset group. select Asset group.

    • To specify an application role for an asset account, select Asset account.

    • To specify an application role for a directory account, select Directory account.

    • To specify an application role for an account group, select Account group.

  2. In the result list, select the PAM object.

  3. Select the Change main data task.

  4. On the General tab, select the application role in the Owner (Application Role) selection list.

    - OR -

    Next to the Owner (Application Role) list, click on to create a new application role.

    1. Enter the application role name and assign the parent application role Privileged Account Governance | Asset and account owners.

    2. Click OK to add the new application role.

  5. Assign employees, who are owners, to the application role.

Related topics

Configuring PAM access request policies

Access requests for assets, asset accounts, directory accounts, asset groups, and account groups can only be requested if the One Identity Manager enabled option is activated in the access request policy.

To configure the access request policy

  1. In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the Change main data task.

  4. On the General tab, check the One Identity Manager enabled option.

    • If this option is set, access requests can be requested for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

    • If this option is not set, is not possible to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating