Chat now with support
Chat with Support

Identity Manager 8.1.2 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Executing synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

Mapping a Privileged Account Management system in One Identity Manager

One Identity Manager offers simplified user account administration for a Privileged Account Management system. One Identity Manager concentrates on setting up and editing user accounts and assigning the user accounts to user groups. Through their user groups, the user accounts receive the required entitlements, for example, for requesting a password for an asset account or a session for the accounts and assets in the Privileged Account Management system. The assignment of entitlements to user groups is not performed in One Identity Manager but in the Privileged Account Management. User groups and requests for passwords and sessions can be requested through the Web Portal.

One Identity Manager provides company employees with the necessary user accounts. For this, you can use different mechanisms to connect employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.

The user accounts, user groups, assets, asset groups, accounts, account groups, directories, entitlements, and access request policies of a One Identity Manager systems are mapped in Privileged Account Management. These objects are imported into the One Identity Manager database during synchronization. This makes it possible to use Identity and Access Governance processes such as attesting, identity audit, user account management and system entitlements, IT Shop, or report subscriptions for Privileged Account Management systems.

Architecture overview

To access the data of a Privileged Account Management system, a connector for the Privileged Account Management system is installed on a synchronization server. The synchronization server ensures data is compared between the One Identity Manager database and the Privileged Account Management system.

One Identity Manager supports synchronization with One Identity Safeguard. The One Identity Safeguard connector of the One Identity Manager uses Windows PowerShell for communication with the One Identity Safeguard appliance.

One Identity Manager users for managing a Privileged Account Management system

The following users are included in setting up and managing a Privileged Account Management system.

Table 1: Users

User

Tasks

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administrate application roles for individual target systems types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employee to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects, like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups for adding to the IT Shop.

  • Can add employees, who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

  • Authorize employees as owners of privileged objects within their area of responsibility.

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Product owner for the IT Shop

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owner application role or a child application role.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.

The Request & Fulfillment | IT Shop | Product owner | PAM user groups is used when local PAM user groups are automatically added to the IT Shop.

Owners of privileged objects

Owners of privileged objects, such as PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups must be assigned to an application role under the Privileged Account Governance | Asset and account owners application role.

Users with this application role:

  • Make decisions on the requesting of access requirements for privileged objects.

  • Attest the possible user access to these privileged objects

Configuration parameters

Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data | General | Configuration parameters category.

For more information, see Configuration parameters for the management of a Privileged Account Management system.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents