Identity Manager 9.0 LTS - Administration Guide for Privileged Account Governance

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 33: Configuration parameters for synchronizing a Privileged Account Management system
Configuration parameters	Meaning if Set
TargetSystem \| PAG	Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| PAG \| Accounts	Allows configuration of PAM user account data.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo	Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem \| PAG \| DefaultAddress configuration parameter.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| PAG \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| PAG \| Accounts \| PrivilegedAccount	Allows configuration of privileged user account settings.
TargetSystem \| PAG \| Accounts \| TransferJPegPhoto	Specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.
TargetSystem \| PAG\| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| PAG \| PersonAutoDefault	Mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| PAG \| PersonAutoDisabledAccounts	Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| PAG \| PersonAutoFullsync	Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.
TargetSystem \| PAG \| PersonExcludeList	Listing of all user account without automatic employee assignment. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| PAG \| UserObjectAccessThreshold	Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.
TargetSystem \| PAG \| HighRiskIndexThreshold	Risk index values higher than this threshold are considered high. Default is 0.5.
QER \| ITShop \| AutoPublish \| PAGUsrGroup	Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
QER \| ITShop \| AutoPublish \| PAGUsrGroup \| ExcludeList	List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation. Example: .Administrator.\|.Admins\|.Operators

Default project template for One Identity Safeguard

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard	Table in the One Identity Manager Schema
Appliance	PAGAppliance
IdentityProvider	PAGIdentityProvider
AuthenticationProvider	PAGAuthProvider
User	PAGUser
UserGroup	PAGUsrGroup
Entitlement	PAGEntl
AccessRequestPolicy	PAGReqPolicy
AccountGroup	PAGAccGroup
Asset	PAGAsset
AssetAccount	PAGAstAccount
AssetGroup	PAGAstGroup
Directory	PAGDirectory
DirectoryAccount	PAGDirAccount

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema

Schema Type in One Identity Safeguard

Table in the One Identity Manager Schema

Appliance

PAGAppliance

IdentityProvider

PAGIdentityProvider

AuthenticationProvider

PAGAuthProvider

User

PAGUser

UserGroup

PAGUsrGroup

Entitlement

PAGEntl

AccessRequestPolicy

PAGReqPolicy

AccountGroup

PAGAccGroup

Asset

PAGAsset

AssetAccount

PAGAstAccount

AssetGroup

PAGAstGroup

Directory

PAGDirectory

DirectoryAccount

PAGDirAccount

Editing One Identity Safeguard system objects

The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.

Table 35: Methods available for editing schema types
Schema type	Read	Paste	Delete	Refresh
Appliance (Appliance)	Yes	No	No	No
User account (User)	Yes	Yes	Yes	Yes
User group (UserGroup)	Yes	No	No	Yes
Identity provider IdentityProvider	Yes	No	No	No
Authentication provider (AuthenticationProvider)	Yes	No	No	No
Directory	Yes	No	No	No
Directory account (DirectoryAccount)	Yes	No	No	No
Asset (Asset)	Yes	No	No	No
Account (AssetAccount)	Yes	No	No	No
Asset group (AssetGroup)	Yes	No	No	No
Account group (AccountGroup)	Yes	No	No	No
Entitlement (Entitlement)	Yes	No	No	No
Access request policy (AccessRequestPolicy)	Yes	No	No	No

One Identity Safeguard connector settings

The following settings are configured for the system connection with the One Identity Safeguard connector.

Table 36: One Identity Safeguard connector settings

Setting

Description

Appliance display name

Display name of the appliance.

Variable: CP_ApplianceDisplay

System identifier

Unique identifier for identifying the appliance.

Variable: CP_ApplianceID

CAUTION: The system identifier must describe the appliance uniquely. Appliances are differentiated on the basis of the system identifier. If you use an identifier more than once for different appliances, it can cause errors and loss of data.

Always connect to the primary cluster node

This option is automatically set if a One Identity Safeguard cluster is detected when the connection is tested. If you use a cluster of multiple One Identity Safeguard appliances, this option should be enabled.

Variable: CP_ConnectPrimaryNode

Appliance host name or IP

Host name or IP address of the appliance. If you use a cluster of multiple One Identity Safeguard appliances, enter the primary appliance here.

Variable: CP_ApplianceHost

Trusted certificate thumbprint

Thumbprint of the trusted certificate that is used by the synchronization user and the user account of the One Identity Manager Service.

Variable: CP_CertificateThumbprint

Ignore SSL connection errors

You should only activate this option for test purposes, because this may lead to potential trusting of insecure connections.

Variable: CP_IgnoreSSLErrors

Default: False

Cluster IPv4 addresses

Semicolon delimited list of IPv4 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv4Addresses

Cluster IPv6 addresses

Semicolon delimited list of IPv6 addresses of an environment consisting of several appliances (clusters).

Variable: CP_ClusterIPv6Addresses

Customize connector definition

You can use this setting to adjust the definition used by the connector.

IMPORTANT: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

NOTE: A customized connection definition is not overwritten by default and must be made with careful consideration.

Configuration parameters	Meaning if Set
TargetSystem \| PAG	Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| PAG \| Accounts	Allows configuration of PAM user account data.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo	Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem \| PAG \| DefaultAddress configuration parameter.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.
TargetSystem \| PAG \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| PAG \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| PAG \| Accounts \| PrivilegedAccount	Allows configuration of privileged user account settings.
TargetSystem \| PAG \| Accounts \| TransferJPegPhoto	Specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.
TargetSystem \| PAG\| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| PAG \| PersonAutoDefault	Mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| PAG \| PersonAutoDisabledAccounts	Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| PAG \| PersonAutoFullsync	Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.
TargetSystem \| PAG \| PersonExcludeList	Listing of all user account without automatic employee assignment. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| PAG \| UserObjectAccessThreshold	Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.
TargetSystem \| PAG \| HighRiskIndexThreshold	Risk index values higher than this threshold are considered high. Default is 0.5.
QER \| ITShop \| AutoPublish \| PAGUsrGroup	Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
QER \| ITShop \| AutoPublish \| PAGUsrGroup \| ExcludeList	List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation. Example: .Administrator.\|.Admins\|.Operators

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 9.0 LTS - Administration Guide for Privileged Account Governance

Configuration parameters for managing a Privileged Account Management system

Default project template for One Identity Safeguard

Editing One Identity Safeguard system objects

One Identity Safeguard connector settings