Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.1.5 - Administration Guide for Privileged Account Governance

Table of Contents

Mapping a Privileged Account Management system in One Identity Manager

Architecture overview One Identity Manager users for managing Privileged Account Management Configuration parameters

Synchronizing a Privileged Account Management system

Setting up the initial synchronization of a One Identity Safeguard

Users and permissions for synchronizing with a One Identity Safeguard appliance Setting up the One Identity Safeguard synchronization server

System requirements for the One Identity Safeguard synchronization server Installing the safeguard-ps Windows PowerShell module Installing One Identity Manager Service with One Identity Safeguard connector

Preparing the administrative workstation for access to the One Identity Safeguard appliance Preparing a remote connection server for access to the One Identity Safeguard appliance Creating a synchronization project for initial synchronization of a One Identity Safeguard appliance

Information required for setting up a synchronization project Creating an initial synchronization project for One Identity Safeguard

Configuring the synchronization log

Customizing the synchronization configuration for One Identity Safeguard

Configuring synchronization to a One Identity Safeguard appliance Configuring synchronization of multiple One Identity Safeguard appliances Updating schemas Speeding up synchronization with revision filtering Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization Adjusting the Windows PowerShell definition of the One Identity Safeguard connector

Executing synchronization

Starting synchronization Displaying synchronization results Deactivating synchronization Synchronizing single objects

Tasks after a synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing PAM user accounts through account definitions

Troubleshooting

Managing PAM user accounts and employees

Account definitions for PAM user accounts

Creating account definitions Editing account definitions Master data for account definitions Editing manage levels Creating manage levels Master data for manage levels creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to PAM appliances Deleting account definitions

Automatic assignment of employees to PAM user accounts

Editing search criteria for automatic employee assignment

Finding employees and directly assigning them to user accounts

Changing manage levels for PAM user accounts Assigning account definitions to linked PAM user accounts

Manually linking employees to PAM user accounts Supported user account types

Default user accounts Administrative user accounts

Providing administrative user accounts for one employee Providing administrative user accounts for several employees

Privileged user accounts

Managing the assignments of PAM user groups

Assigning PAM user groups to PAM user accounts in One Identity Manager

Assigning PAM user groups to departments, cost centers, and locations Assigning PAM user groups to business roles Adding PAM user groups to system roles Adding PAM user groups to the IT Shop Adding local PAM user groups to the IT Shop automatically Assigning PAM user accounts directly to a PAM user group Assigning PAM user groups directly to a PAM user account

Effects of PAM user group memberships PAM user group inheritance based on categories Overview of all assignments

Provision of login information for PAM user accounts

Password policies for PAM users

Predefined password policies Using password policies Editing password policies Creating password policies General master data for password policies Policy settings Character classes for passwords Custom scripts for password requirements

Script for checking passwords Script for generating a password

Editing the excluded list for passwords Checking passwords Testing the generation of passwords

Initial password for new PAM user accounts Email notifications about login data

Mapping of PAM objects in One Identity Manager

Creating PAM appliances Editing the master data for PAM appliances General master data for PAM appliances Defining categories for the inheritance of PAM user groups Additional tasks for managing PAM appliances

The PAM appliance overview Editing the synchronization project for a PAM appliance

PAM user accounts

Creating local PAM user accounts Creating certificate-based PAM user accounts Creating PAM user accounts for directory users Editing master data for PAM user accounts General master data for PAM user accounts Contact information for PAM user accounts Secondary authentication for PAM user accounts Administrative entitlements for PAM user accounts Additional tasks for managing PAM user accounts

The PAM user account overview Assigning extended properties to PAM user accounts

Disabling PAM user accounts Deleting and restoring PAM user accounts

PAM user groups

Editing master data for PAM user groups General master data for PAM user accounts Additional tasks for managing PAM user groups

The PAM user group overview Assigning extended properties to PAM user groups

PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM entitlements PAM access request policies Reports about PAM objects

PAM access requests

System requirements for requesting PAM access requests Requesting PAM access requests PAM object owners

Automatically determining the owners Manually specifying employees as PAM object owners Manually specifying application roles for PAM object owners

Configuring PAM access request policies

Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system

Job server for PAM-specific process handling

Editing PAM Job servers General master data for Job servers Specifying server functions

Target system managers for PAM systems

Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

PAM asset accounts

Mapping of PAM objects in One Identity Manager > PAM asset accounts

An asset account is a unique ID for the access to an asset, for example, a user account, a group or a service account. For asset accounts, passwords can be requested for accessing the assets.

Asset accounts are imported into the One Identity Manager database during synchronization. Changes to the object properties of individual asset accounts can be re-imported by single object synchronization.

To view an overview of an asset account:

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Asset accounts category.
Select the asset account in the result list.
Select the PAM asset account overview task.

To display the properties of an asset account:

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Asset accounts category.
Select the asset account in the result list.
Select the Change master data task.

For an asset account, you see an overview of the account groups and the access request policies associated with the asset account.

To define a risk index for an asset account

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Asset accounts category.
Select the asset account in the result list.
Select the Change master data task.
Set a value for the Risk index, between 0 and 1.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.
Save the changes.

Related topics

PAM directory accounts

Mapping of PAM objects in One Identity Manager > PAM directory accounts

Directory accounts are privileged user accounts in a directory, such as Active Directory or LDAP, for which you can request a password.

Directory accounts are imported into the One Identity Manager database during synchronization. Changes to the object properties of individual directory accounts can be re-imported by single object synchronization.

To view an overview of a directory account:

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Directory accounts category.
Select the directory account in the result list.
Select the PAM directory account overview task.

To display the properties of a directory account

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Directory accounts category.
Select the directory account in the result list.
Select the Change master data task.

For a directory account, you see an overview of the user account in the directory, the PAM user accounts, and the access request policies associated with the directory account.

To define a risk index for a directory account

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged Objects | Directory accounts category.
Select the directory account in the result list.
Select the Change master data task.
Set a value for the Risk index, between 0 and 1.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.
Save the changes.

Related topics

PAM account groups

Mapping of PAM objects in One Identity Manager > PAM account groups

An account group is a collection of asset account and directory accounts. An account group can be added to the scope of an access request policy.

Account groups are imported into the One Identity Manager database during synchronization. You cannot edit the properties of account groups. Changes to the object properties of individual account groups can be re-imported by single object synchronization.

To display the properties of an account group

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged objects | Account groups category.
Select the account group in the result list.
Select the Change master data task.

For an account group, you see an overview of the asset accounts, directory accounts, and the access request policies associated with the account group.

To obtain an overview of an account group

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Privileged objects | Account groups category.
Select the account group in the result list.
Select the PAM account group overview task.

Related topics

PAM directories

Mapping of PAM objects in One Identity Manager > PAM directories

Directories represent external target system, for example Active Directory or LDAP. If the Active Directory environment or the LDAP environment is imported into One Identity Manager, you can create directory users in One Identity Manager. Directory users and directory groups are linked to the relevant Active Directory objects and LDAP objects.

Directories are imported into the One Identity Manager database during synchronization. You cannot edit the properties of directories. Changes to the object properties of individual directories can be re-imported by single object synchronization.

To display the properties of a directory

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Directories category.
Select the directory in the result list.
Select the Change master data task.

For a directory, you see an overview of the user accounts, user groups, and the directory accounts associated with the directory.

To view an overview of a directory

In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Directories category.
Select the directory in the result list.
Select the PAM directory overview task.

Related topics

Synchronizing single objects

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center