Chat now with support
Chat with Support

Identity Manager 8.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Default project template for One Identity Safeguard

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard Table in the One Identity Manager Schema
Appliance PAGAppliance
IdentityProvider PAGIdentityProvider

AuthenticationProvider

PAGAuthProvider

User PAGUser
UserGroup PAGUsrGroup
Entitlement PAGEntl
AccessRequestPolicy PAGReqPolicy
AccountGroup PAGAccGroup
Asset PAGAsset
AssetAccount PAGAstAccount
AssetGroup PAGAstGroup
Directory PAGDirectory
DirectoryAccount PAGDirAccount

Editing One Identity Safeguard system objects

The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.

Table 35: Methods available for editing schema types

Schema type

Read

Paste

Delete

Refresh

Appliance (Appliance)

Yes

No

No

No

User account (User)

Yes

Yes

Yes

Yes

User group (UserGroup)

Yes

No

No

Yes

Identity provider IdentityProvider

Yes

No

No

No

Authentication provider (AuthenticationProvider)

Yes

No

No

No

Directory

Yes

No

No

No

Directory account

(DirectoryAccount)

Yes

No

No

No

Asset (Asset)

Yes

No

No

No

Account (AssetAccount)

Yes

No

No

No

Asset group (AssetGroup)

Yes

No

No

No

Account group (AccountGroup)

Yes

No

No

No

Entitlement (Entitlement)

Yes

No

No

No

Access request policy (AccessRequestPolicy)

Yes

No

No

No

One Identity Safeguard connector settings

The following settings are configured for the system connection with the One Identity Safeguard connector.

Table 36: One Identity Safeguard connector settings

Setting

Description

Appliance display name

Display name of the appliance.

Variable: CP_ApplianceDisplay

System identifier

Unique identifier for identifying the appliance.

Variable: CP_ApplianceID

CAUTION: The system identifier must describe the appliance uniquely. Appliances are differentiated on the basis of the system identifier. If you use an identifier more than once for different appliances, it can cause errors and loss of data.

Always connect to the primary cluster node

This option is automatically set if a One Identity Safeguard cluster is detected when the connection is tested. If you use a cluster of multiple One Identity Safeguard appliances, this option should be enabled.

Variable: CP_ConnectPrimaryNode

Appliance host name or IP

Host name or IP address of the appliance. If you use a cluster of multiple One Identity Safeguard appliances, enter the primary appliance here.

Variable: CP_ApplianceHost

Trusted certificate thumbprint

Thumbprint of the trusted certificate that is used by the synchronization user and the user account of the One Identity Manager Service.

Variable: CP_CertificateThumbprint

Ignore SSL connection errors

You should only activate this option for test purposes, because this may lead to potential trusting of insecure connections.

Variable: CP_IgnoreSSLErrors

Default: False

Cluster IPv4 addresses

Semicolon delimited list of IPv4 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv4Addresses

Cluster IPv6 addresses

Semicolon delimited list of IPv6 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv6Addresses

Customize connector definition

You can use this setting to adjust the definition used by the connector.

IMPORTANT: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

NOTE: A customized connection definition is not overwritten by default and must be made with careful consideration.

Known issues about connecting One Identity Safeguard appliances

Issue

The following error message is displayed while setting up a synchronization project for One Identity Safeguard:

404: Not Found -- 0:

Cause

An older version of One Identity Safeguard is in use that is not supported by One Identity Manager.

Solution

Ensure you are using One Identity Safeguard version 6.0 or later. For more information, see Synchronizing a Privileged Account Management system.

Issue

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

Solution

The problem is resolved with One Identity Safeguard version 2.6.

Issue

The One Identity Safeguard connector connection to a One Identity Safeguard appliance quits with following errors:

The version <Appliance version> of the connected One Identity Safeguard appliance is not supported by this version of the One Identity Manager Safeguard connector. Error-free operation cannot be guaranteed. The connection is terminated.

The version <safeguard-ps version> of the PowerShell module 'safeguard-ps' does not match the version <Appliance version> of the One Identity Safeguard appliance. The connection is terminated

Cause

The implemented version of this One Identity Safeguard Appliance does not match the version of the safeguard-ps Windows PowerShell module in use.

Solution

Ensure that you use the matching version. Ensure that the major and the minor version of the Windows PowerShell module match the major and the minor version of your One Identity Safeguard appliance.

For more information, see Installing the safeguard-ps Windows PowerShell module.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating