Chat now with support
Chat with Support

Identity Manager 8.1.1 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Adjusting the synchronization configuration for One Identity Safeguard Executing a synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in Web Portal Basic data for managing a Privileged Account Management system Appendix: Configuration parameters for the management of a Privileged Account Management system Appendix: Default project template for One Identity Safeguard Appendix: Editing One Identity Safeguard system objects Appendix: Known issues About us

Synchronizing a Privileged Account Management system

One Identity Manager supports synchronization with One Identity Safeguard version 2.5 or later. You will find a matching Windows PowerShell module for each version supported on the One Identity Manager installation medium in the Modules\PAG\dvd\AddOn\safeguard-ps directory. Versions without a matching Windows PowerShell module on the One Identity Manager installation medium, are not supported.

One Identity Manager is responsible for synchronizing data between the One Identity Safeguard database and the One Identity Manager Service appliance.

This sections explains:

  • how to set up synchronization to import initial data from a One Identity Safeguard appliance to the One Identity Manager database,
  • how to adjust a synchronization configuration, for example, to synchronize different One Identity Safeguard appliances with the same synchronization project,
  • how to start and deactivate the synchronization,
  • how to evaluate the synchronization results.

TIP: Before you set up synchronization with a One Identity Safeguard appliance, familiarize yourself with the Synchronization Editor. For detailed information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up the initial synchronization of a One Identity Safeguard

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for a target system environment. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.

Use the One Identity Safeguard synchronization project template to create synchronization projects with which you import the data from a One Identity Safeguard appliance into your One Identity Manager database.

To load objects into the One Identity Manager database for the first time

  1. Prepare a user with sufficient permissions for synchronization in the Privileged Account Management system.

  2. One Identity Manager components for managing Privileged Account Management systems are available if the TargetSystem | PAG configuration parameter is enabled.

    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  3. Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with a One Identity Safeguard appliance

The following users are involved in synchronizing One Identity Manager with a One Identity Safeguard appliance.

Table 2: Users for synchronization

User

Permissions

Users for accessing the One Identity Safeguard appliance (synchronization users)

On the appliance, you must provide a user account with the following settings for full synchronization of One Identity Safeguard appliance objects with the supplied One Identity Manager default configuration.

  • Authentication provider Certificate

  • Fingerprint of a certificate saved on the appliance as a trusted certificate

  • Permissions:

    • Authorizer

    • User

    • Help Desk

    • Appliance

    • Operations

    • Asset

    • Directory

    • Security policy

For more detailed information about users and certificates in One Identity Safeguard, refer to the One Identity Safeguard Administration Guide.

One Identity Manager Service user account

The user account for One Identity Manager Service requires access rights to carry out operations at file level, for example, assigning user rights and creating and editing directories and files.

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user right

The user account requires access rights to the internal web service.

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)

In the certificate store of the current user, the user account requires the certificate with the private key that is saved on the One Identity Safeguard appliance as a trusted certificate. The certificate must be the same certificate used by the synchronization user.

For more detailed information about certificates in One Identity Safeguard, refer to the One Identity Safeguard Administration Guide.

NOTE: Access via the local system account NT AUTHORITY\SYSTEM is not supported.

User for accessing the One Identity Manager database

The Synchronization default system user is provided for executing synchronization with an application server.

Setting up the One Identity Safeguard synchronization server

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service with the One Identity Safeguard connector must be installed on the synchronization server.

Detailed information about this topic
Related Documents