Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Executing synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

Managing PAM user accounts and employees

The main feature of One Identity Manager is to map employees together with the master data and permissions available to them in different target systems. To achieve this, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This provides an overview of the permissions for each employee in all of the connected target systems. One Identity Manager offers the option of managing user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.

Because requirements vary between companies, One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following methods for linking employees and their user accounts:

  • Employees can automatically obtain their account definitions using user account resources. If an employee does not yet have a user account in an appliance, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism and subsequent process handling.

    When you manage account definitions through user accounts, you can specify the way user accounts behave when employees are enabled or deleted.

  • When user accounts are inserted, they can be automatically assigned to an existing employee or a new employee can be created if necessary. In the process, the employee master data is created on the basis of existing user account master data. This mechanism can be implemented if a new user account is created manually or by synchronization. However, this is not the One Identity Manager default method. You must define criteria for finding employees for automatic employee assignment.
  • Employees and user accounts can be entered manually and assigned to each other.

For more detailed information about employee handling and administration, see the One Identity Manager Target System Base Module Administration Guide.

Related topics

Account definitions for PAM user accounts

One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an employee.

Specify the manage level for an account definition for managing user accounts. The user account’s manage level specifies the extent of the employee’s properties that are inherited by the user account. This allows an employee to have several user accounts in one target system, for example:

  • Default user account that inherits all properties from the employee.
  • Administrative user account that is associated to an employee but should not inherit the properties from the employee.

For more detailed information about the principles of account definitions, manage levels, and determining the valid IT operating data, see the One Identity Manager Target System Base Module Administration Guide.

The following steps are required to implement an account definition:

  • Creating account definitions

  • Configuring manage levels

  • Creating the formatting rules for IT operating data

  • Collecting IT operating data

  • Assigning account definitions to employees and target systems

Detailed information about this topic

Creating account definitions

To create a new account definition

  1. In the Manager, select the Privileged Account Management | Basic configuration data | Account definitions | Account definitions category.

  2. Click in the result list.

  3. On the master data form, enter the master data for the account definition.

  4. Save the changes.

Related topics

Editing account definitions

To edit an account definition

  1. In the Manager, select the Privileged Account Management | Basic configuration data | Account definitions | Account definitions category.

  2. Select an account definition in the result list.

  3. Select the Change master data task.

  4. Enter the account definition's master data.

  5. Save the changes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating