Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

Table of Contents

About this guide Managing a Privileged Account Management system in One Identity Manager

Architecture overview One Identity Manager users for managing Privileged Account Management Configuration parameters for managing Privileged Account Management systems

Synchronizing a Privileged Account Management system

Setting up the initial synchronization of a One Identity Safeguard

Users and permissions for synchronizing with a One Identity Safeguard appliance Setting up the One Identity Safeguard synchronization server

System requirements for the One Identity Safeguard synchronization server Installing the safeguard-ps Windows PowerShell module Installing One Identity Manager Service with a One Identity Safeguard connector

Preparing the administrative workstation for access to the One Identity Safeguard appliance Preparing a remote connection server for access to the One Identity Safeguard appliance Creating a synchronization project for initial synchronization of a One Identity Safeguard appliance

Information required for setting up a synchronization project Creating an initial synchronization project for One Identity Safeguard

Configuring the synchronization log

Customizing the synchronization configuration for One Identity Safeguard

Configuring synchronization to a One Identity Safeguard appliance Configuring synchronization of multiple One Identity Safeguard appliances Changing system connection settings of One Identity Safeguard appliances

Editing connection parameters in the variable set Editing target system connection properties Adjusting the Windows PowerShell definition of the One Identity Safeguard connector

Updating schemas Speeding up synchronization with revision filtering Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization

Running synchronization

Starting synchronization Displaying synchronization results Deactivating synchronization Synchronizing single objects

Tasks following synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing PAM user accounts through account definitions

Troubleshooting Ignoring data error in synchronization

Managing PAM user accounts and employees

Account definitions for PAM user accounts

Creating account definitions Editing account definitions Main data for account definitions Editing manage levels Creating manage levels Assigning manage levels to account definitions Main data for manage levels creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to PAM appliances Deleting account definitions

Assigning employees automatically to PAM user accounts

Editing search criteria for automatic employee assignment Finding employees and directly assigning them to user accounts Changing manage levels for PAM user accounts Assigning account definitions to linked PAM user accounts

Manually linking employees to PAM user accounts Supported user account types

Default user accounts Administrative user accounts

Providing administrative user accounts for one employee Providing administrative user accounts for several employees

Privileged user accounts

Specifying deferred deletion for PAM user accounts

Managing the assignments of PAM user groups

Assigning PAM user groups to PAM user accounts in One Identity Manager

Prerequisites for indirect assignment of PAM groups to PAM user accounts Assigning PAM user groups to departments, cost centers, and locations Assigning PAM user groups to business roles Adding PAM user groups to system roles Adding PAM user groups to the IT Shop Adding local PAM user groups to the IT Shop automatically Assigning PAM user accounts directly to a PAM user group Assigning PAM user groups directly to a PAM user account

Effectiveness of membership in PAM user groups PAM user group inheritance based on categories Overview of all assignments

Login information for PAM user accounts

Password policies for PAM users

Predefined password policies Using password policies Editing password policies Creating password policies General main data for password policies Policy settings Character classes for passwords Custom scripts for password requirements

Checking passwords with a script Generating passwords with a script

Editing the excluded list for passwords Checking passwords Testing the generation of passwords

Initial password for new PAM user accounts Email notifications about login data

Mapping of PAM objects in One Identity Manager

Creating PAM appliances Editing the main data of PAM appliances General main data of PAM appliances Defining categories for the inheritance of PAM user groups Editing the synchronization project for a PAM appliance Displaying the PAM appliance overview

PAM user accounts

Creating local PAM user accounts Creating certificate-based PAM user accounts Creating PAM user accounts for directory users Editing main data of PAM user accounts General main data of PAM user accounts Contact information for PAM user accounts Secondary authentication for PAM user accounts Administrative entitlements for PAM user accounts Assigning extended properties to PAM user accounts Disabling PAM user accounts Deleting and restoring PAM user accounts Displaying the PAM user account overview

PAM user groups

Editing main data of PAM user groups General main data of PAM user accounts Assigning extended properties to PAM user groups Displaying the PAM user group overview

PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM entitlements PAM access request policies Reports about PAM objects

PAM access requests

System requirements for requesting PAM access requests Requesting PAM access requests PAM object owners

Automatically determining the owners Manually specifying employees as PAM object owners Manually specifying application roles for PAM object owners

Configuring PAM access request policies

Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system

Target system managers for PAM systems Job server for PAM-specific process handling

Editing PAM Job servers General main data of Job servers Specifying server functions

Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Automatically determining the owners

Initially, approvers of access request policies automatically become owners of PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups and PAM account groups. This assignment only takes place if an access request policy can be determined for a PAM object.

For each access request policy, a new application role is created for the owner under the Privileged Account Governance | Asset and account owners application role.
The role approvers of an access request policy are added to the application role.
The application is assigned to the PAM asserts, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups within the policy's scope.
If there are several access policies defined for a PAM object, the valid application roles are determined through the access request policy's entitlements. The PAM object owners are determined by the following order:
1. Application roles of access request policies with low priority entitlements
2. Application roles of access request policies with the lowest priority

NOTE:

An application role for owners is only assigned automatically to a PAM object if an application role is not already assigned to the PAM object. Any existing assignment is not changed.
Owner are only determined initially. Changes to the role approver of an access request policy are not automatically added to the associated application role. Change the employee assigned to the application manually, if required.
Owners cannot be determined for access request policies that are automatically approved in One Identity Safeguard. In this case, assign employees manually to the application role.

Related topics

Manually specifying employees as PAM object owners

In addition to automatically determining the owners, you can specify the owners manually.

To manually specify employees as owners

Log in to Manager as target system manager.
In the Privileged Account Management > Basic configuration data > Asset and account owners category, select the application role.
Select the Assign employees task.
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.

To remove an assignment
- Select the employee and double-click .
Save the changes.

Related topics

Manually specifying application roles for PAM object owners

Application roles are created when owner are determined automatically. You can specify further application roles manually.

To specify an application role for a PAM object owner

In the Manager, select one of the following filters in the Privileged Account Management > Appliances > <appliance> > Privileged objects category.
- To specify an application role for an asset, select Assets.
- To specify an application role for an asset group. select Asset group.
- To specify an application role for an asset account, select Asset account.
- To specify an application role for a directory account, select Directory account.
- To specify an application role for an account group, select Account group.
In the result list, select the PAM object.
Select the Change main data task.
On the General tab, select the application role in the Owner (Application Role) selection list.

- OR -

Next to the Owner (Application Role) list, click on to create a new application role.
1. Enter the application role name and assign the parent application role Privileged Account Governance | Asset and account owners.
2. Click OK to add the new application role.
Assign employees, who are owners, to the application role.

Related topics

Configuring PAM access request policies

Access requests for assets, asset accounts, directory accounts, asset groups, and account groups can only be requested if the One Identity Manager enabled option is activated in the access request policy.

To configure the access request policy

In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.
Select the access request policy in the result list.
Select the Change main data task.
On the General tab, check the One Identity Manager enabled option.
- If this option is set, access requests can be requested for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.
- If this option is not set, is not possible to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center