Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Assigning PAM user groups directly to a PAM user account

To react quickly to special requests, you can assign groups directly to the user account. You cannot directly assign groups that have the Only use in IT Shop option.

To assign groups directly to user accounts

  1. In the Manager, select the Privileged Account Management > User accounts category.

  2. Select the user account in the result list.

  3. Select the Assign groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Effectiveness of membership in PAM user groups

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.

The effectiveness of the assignments is mapped in the PAGUserInUsrGroup and PAGBaseTreeHasUsrGroup tables by the XIsInEffect column.

Example: The effect of group memberships
  • Group A is defined with permissions for triggering requests in a appliance. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Clara Harris has a user account in this appliance. She primarily belongs to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an employee from obtaining authorizations of groups A and group B at the same time. That means, groups A, B, and C are mutually exclusive. A user, who is a member of group C cannot be a member of group B at the same time. That means, groups B and C are mutually exclusive.

Table 12: Specifying excluded groups (PAGUsrGroupExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 13: Effective assignments

Employee

Member in role

Effective group

Ben King

Marketing

Group A

Jan Bloggs

Marketing, finance

Group B

Clara Harris

Marketing, finance, control group

Group C

Jenny Basset

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.

Table 14: Excluded groups and effective assignments

Employee

Member in role

Assigned group

Excluded group

Effective group

Jenny Basset

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive groups belong to the same appliance.

To exclude a group

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select a group in the result list.

  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are no longer mutually exclusive.

  5. Save the changes.

PAM user group inheritance based on categories

In One Identity Manager, user accounts can selectively inherit user groups. To do this, user groups and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The template contains two tables; the user account table and the group table. Use the user account table to specify categories for target system dependent user accounts. In the group table, enter your categories for the target system-dependent groups. In the other tables, enter your categories for the user groups. Each table contains the category positions position 1 to position 63.

Every user account can be assigned to one or more categories. Each entitlement can also be assigned to one or more categories. If at least one of the category items between the user account and the assigned entitlement is the same, the entitlement is inherited by the user account. If the entitlement or the user account is not classified in a category, the entitlement is also inherited by the user account.

NOTE: Inheritance through categories is only taken into account when entitlements are assigned indirectly through hierarchical roles. Categories are not taken into account when entitlements are directly assigned to user accounts.
Table 15: Category examples
Category position Categories for user accounts Categories for permissions
1 Default user Default group or standard product
2 Administrator Administrator group

Figure 1: Example of inheriting through categories.

To use inheritance through categories

  1. Define the categories on the appliance.

  2. Assign categories to user accounts through their main data.

  3. Assign categories to groups through their main data.

Related topics

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Examples:
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.

  • If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.

  • If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.

  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.

  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.

  • Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.

  • Double-click a control to show all child roles belonging to the selected role.

  • By clicking the button in a role's control, you display all employees in the role with the base object.

  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.

Figure 2: Toolbar of the Overview of all assignments report.

Table 16: Meaning of icons in the report toolbar

Icon

Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating