About this guide
The One Identity Manager Administration Guide for Privileged Account Governance describes how you set up synchronization of One Identity Safeguard with One Identity Manager. You will discover, which user accounts, user groups, assets, asset groups, accounts, account groups, directories, entitlements, and access request policies of a Privileged Account Management system are mapped in One Identity Manager.
This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.
NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.
Available documentation
You can access One Identity Manager documentation in the Manager and in the Designer by selecting the Help > Search menu item. The online version of One Identity Manager documentation is available in the Support portal under Technical Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.
Managing a Privileged Account Management system in One Identity Manager
One Identity Manager offers simplified user account administration for a Privileged Account Management system. One Identity Manager concentrates on setting up and editing user accounts and assigning the user accounts to user groups. Through their user groups, the user accounts receive the required entitlements, for example, for requesting a password for an asset account or a session for the accounts and assets in the Privileged Account Management system. The assignment of entitlements to user groups is not performed in One Identity Manager but in the Privileged Account Management. User groups and requests for passwords and sessions can be requested through the Web Portal.
One Identity Manager provides company identities with the necessary user accounts. There are different ways for you to connect identities to their user accounts. You can also manage user accounts independently of identities and thus set up administrator user accounts.
The user accounts, user groups, assets, asset groups, accounts, account groups, directories, entitlements, and access request policies of a One Identity Manager systems are mapped in Privileged Account Management. These objects are imported into the One Identity Manager database during synchronization. This makes it possible to use Identity and Access Governance processes such as attesting, identity audit, user account management and system entitlements, IT Shop, or report subscriptions for Privileged Account Management systems.
NOTE: The Privileged Account Governance Module must be installed as a prerequisite for managing Privileged Account Management systems in One Identity Manager. For more information about installing, see the One Identity Manager Installation Guide.
Architecture overview
To access the data of a Privileged Account Management system, a connector for the Privileged Account Management system is installed on a synchronization server. The synchronization server ensures data is compared between the One Identity Manager database and the Privileged Account Management system.
One Identity Manager supports synchronization with One Identity Safeguard. The One Identity Safeguard connector of the One Identity Manager uses PowerShell for communication with the One Identity Safeguard appliance.
One Identity Manager users for managing Privileged Account Management
The following users are included in setting up and administration of Privileged Account Management.
Table 1: Users
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role:
-
Administer application roles for individual target system types.
-
Specify the target system manager.
-
Set up other application roles for target system managers if required.
-
Specify which application roles for target system managers are mutually exclusive.
-
Authorize other identities to be target system administrators.
-
Do not assume any administrative tasks within the target system. |
Target system managers |
Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects.
-
Edit password policies for the target system.
-
Prepare groups to add to the IT Shop.
-
Can add identities that do not have the Primary identity identity type.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other identities within their area of responsibility as target system managers and create child application roles if required.
-
Authorize identities as owners of privileged objects within their area of responsibility. |
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required.
-
Create and configure password policies as required. |
Product owner for the IT Shop |
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.
Users with this application role:
The Request & Fulfillment | IT Shop | Product owner | PAM user groups is used when local PAM user groups are automatically added to the IT Shop. |
Owners of privileged objects |
Owners of privileged objects, such as PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups must be assigned to an application role under the Privileged Account Governance | Asset and account owners application role.
Users with this application role:
|
Administrators for the IT Shop |
Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.
Users with this application role:
|
Administrators for organizations |
Administrators must be assigned to the Identity Management | Organizations | Administrators application role.
Users with this application role:
|
Business roles administrators |
Administrators must be assigned to the Identity Management | Business roles | Administrators application role.
Users with this application role:
|