When new user accounts are created in One Identity Manager, the passwords needed to log in to the target system are created immediately also. Various options are available for assigning the initial password. Predefined password policies are applied to the passwords, and you can adjust these policies to suit your individual requirements if necessary. You can set up email notifications to distribute the login information generated to users.
Mapping a Privileged Account Management system in One Identity Manager
Architecture overview
One Identity Manager users for managing Privileged Account Management
Configuration parameters
Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard
Managing PAM user accounts and employees
Users and permissions for synchronizing with a One Identity Safeguard appliance
Setting up the One Identity Safeguard synchronization server
Customizing the synchronization configuration for One Identity Safeguard
System requirements for the One Identity Safeguard synchronization server
Installing the safeguard-ps Windows PowerShell module
Installing One Identity Manager Service with One Identity Safeguard connector
Preparing the administrative workstation for access to the One Identity Safeguard appliance
Preparing a remote connection server for access to the One Identity Safeguard appliance
Creating a synchronization project for initial synchronization of a One Identity Safeguard appliance
Information required for setting up a synchronization project
Creating an initial synchronization project for One Identity Safeguard
Configuring the synchronization log
Configuring synchronization to a One Identity Safeguard appliance
Configuring synchronization of multiple One Identity Safeguard appliances
Updating schemas
Speeding up synchronization with revision filtering
Configuring the provisioning of memberships
Configuring single object synchronization
Accelerating provisioning and single object synchronization
Adjusting the Windows PowerShell definition of the One Identity Safeguard connector
Executing synchronization
Starting synchronization
Displaying synchronization results
Deactivating synchronization
Synchronizing single objects
Tasks after a synchronization
Post-processing outstanding objects
Adding custom tables to the target system synchronization
Managing PAM user accounts through account definitions
Troubleshooting
Account definitions for PAM user accounts
Managing the assignments of PAM user groups
Creating account definitions
Editing account definitions
Master data for account definitions
Editing manage levels
Creating manage levels
Master data for manage levels
creating mapping rules for IT operating data
Entering IT operating data
Modify IT operating data
Assigning account definitions to employees
Automatic assignment of employees to PAM user accounts
Assigning account definitions to departments, cost centers, and locations
Assigning account definitions to business roles
Assigning account definitions to all employees
Assigning account definitions directly to employees
Assigning account definitions to system roles
Adding account definitions in the IT Shop
Assigning account definitions to PAM appliances
Deleting account definitions
Editing search criteria for automatic employee assignment
Changing manage levels for PAM user accounts
Assigning account definitions to linked PAM user accounts
Manually linking employees to PAM user accounts
Supported user account types
Assigning PAM user groups to PAM user accounts in One Identity Manager
Provision of login information for PAM user accounts
Assigning PAM user groups to departments, cost centers, and locations
Assigning PAM user groups to business roles
Adding PAM user groups to system roles
Adding PAM user groups to the IT Shop
Adding local PAM user groups to the IT Shop automatically
Assigning PAM user accounts directly to a PAM user group
Assigning PAM user groups directly to a PAM user account
Effects of PAM user group memberships
PAM user group inheritance based on categories
Overview of all assignments
Password policies for PAM users
Mapping of PAM objects in One Identity Manager
Predefined password policies
Using password policies
Editing password policies
Creating password policies
General master data for password policies
Policy settings
Character classes for passwords
Custom scripts for password requirements
Editing the excluded list for passwords
Checking passwords
Testing the generation of passwords
Initial password for new PAM user accounts
Email notifications about login data
PAM appliances
PAM access requests
Creating PAM appliances
Editing the master data for PAM appliances
General master data for PAM appliances
Defining categories for the inheritance of PAM user groups
Additional tasks for managing PAM appliances
PAM user accounts
Creating local PAM user accounts
Creating certificate-based PAM user accounts
Creating PAM user accounts for directory users
Editing master data for PAM user accounts
General master data for PAM user accounts
Contact information for PAM user accounts
Secondary authentication for PAM user accounts
Administrative entitlements for PAM user accounts
Additional tasks for managing PAM user accounts
Disabling PAM user accounts
Deleting and restoring PAM user accounts
PAM user groups
Editing master data for PAM user groups
General master data for PAM user accounts
Additional tasks for managing PAM user groups
PAM assets
PAM asset groups
PAM asset accounts
PAM directory accounts
PAM account groups
PAM directories
PAM entitlements
PAM access request policies
Reports about PAM objects
System requirements for requesting PAM access requests
Requesting PAM access requests
PAM object owners
Handling of PAM objects in the Web Portal
Basic data for managing a Privileged Account Management system
Configuration parameters for the management of a Privileged Account Management system
Default project template for One Identity Safeguard
Editing One Identity Safeguard system objects
Known issues about connecting One Identity Safeguard appliances
About us
Automatically determining the owners
Manually specifying employees as PAM object owners
Manually specifying application roles for PAM object owners
Configuring PAM access request policies
Provision of login information for PAM user accounts
Provision of login information for PAM user accounts
Password policies for PAM users
provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.
Detailed information about this topic
Predefined password policies
Provision of login information for PAM user accounts > Password policies for PAM users > Predefined password policies
You can customize predefined password policies to meet your own requirements, if necessary.
Password for logging in to
The password policy is applied for logging in to . This password policy defines the settings for the system user passwords (DialogUser.Password and Person.DialogUserPassword) as well as the passcode for a one time log in on the Web Portal (Person.Passcode).
NOTE: The password policy is marked as the default policy. This password policy is applied if no other password policy can be found for employees, user accounts, or system users.
For detailed information about password policies for employees, see the One Identity Manager Identity Management Base Module Administration Guide.
Password policy for forming employees' central passwords
An employee's central password is formed from the target system specific user accounts by respective configuration. The Employee central password policy defines the settings for the (Person.CentralPassword) central password. Members of the Identity Management | Employees | Administrators application role can adjust this password policy.
IMPORTANT: Ensure that the Employee central password policy does not violate the target system-specific requirements for passwords.
For detailed information about password policies for employees, see the One Identity Manager Identity Management Base Module Administration Guide.
Password policies for user accounts
Predefined password policies are provided, which you can apply to the user account password columns of the user accounts.
IMPORTANT: If you do not use password policies that are specific to the target system, the password policy default policy applies. In this case, ensure that the default policy does not violate the target systems requirements.
The Privileged Account Management password policy is predefined for PAM systems. You can apply this password policy to the passwords of user accounts (PAGUser.Password) of an appliance.
If the password requirements for the appliances are different, it is recommended that you set up your own password policies for each appliance.
Furthermore, you can apply password policies based on the account definition of the user accounts or based on the manage level of the user accounts.
Using password policies
Provision of login information for PAM user accounts > Password policies for PAM users > Using password policies
The Privileged Account Management password policy is predefined for PAM systems. You can apply this password policy to the passwords of user accounts (PAGUser.Password) of an appliance.
If the password requirements for the appliances are different, it is recommended that you set up your own password policies for each appliance.
Furthermore, you can apply password policies based on the account definition of the user accounts or based on the manage level of the user accounts.
The password policy that is to be used for a user account is determined in the following sequence:
-
Password policy of the account definition of the user account.
-
Password policy of the manage level of the user account.
-
Password policy for the appliance of the user.
-
The password policy (default policy).
IMPORTANT: If you do not use password policies that are specific to the target system, the password policy default policy applies. In this case, ensure that the default policy does not violate the target systems requirements.
To reassign a password policy
-
In the Manager, select the Privileged Account Management | Basic configuration data | Password policies category.
- Select the password policy in the result list.
- Select the Assign objects task.
-
Click Add in the Assignments section and enter the following data.
Table 20: Assigning a password policy Property
Description
Apply to
Application scope of the password policy.
To specify an application scope
- Click
next to the field.
- Select one of the following references under Table:
- The table that contains the base objects of synchronization.
- To apply the password policy based on the account definition, select the TSBAccountDef table.
- To apply the password policy based on the manage level, select the TSBBehavior table.
- Under Apply to, select the table that contains the base objects.
- If you have selected the table containing the base objects of synchronization, next select the specific target system.
- If you have selected the TSBAccountDef table, next select the specific account definition.
- If you have selected the TSBBehavior table, next select the specific manage level.
- Click OK.
Password column
The password column's identifier.
Password policy
The identifier of the password policy to be used.
- Click
- Save the changes.
To change a password policy's assignment
-
In the Manager, select the Privileged Account Management | Basic configuration data | Password policies category.
- Select the password policy in the result list.
- Select the Assign objects task.
- In the Assignments pane, select the assignment you want to change.
- From the Password Policies menu, select the new password policy you want to apply.
- Save the changes.