Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Configuration parameters for managing Privileged Account Management systems

Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for various configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data > General > Configuration parameters category.

For more information, see Configuration parameters for managing a Privileged Account Management system.

Synchronizing a Privileged Account Management system

One Identity Manager supports synchronization with One Identity Safeguard version 6.0 or later. You will find a matching PowerShell module for each version supported on the One Identity Manager installation medium in the Modules\PAG\dvd\AddOn\safeguard-ps directory. Versions without a matching PowerShell module on the One Identity Manager installation medium, are not supported.

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and the One Identity Safeguard appliance.

This sections explains how to:

  • Set up synchronization to import initial data from One Identity Safeguard appliance to the One Identity Manager database.

  • Adjust a synchronization configuration, for example, to synchronize different One Identity Safeguard appliances with the same synchronization project.

  • Start and deactivate the synchronization.

  • Analyze synchronization results.

TIP: Before you set up synchronization with a One Identity Safeguard appliance, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up the initial synchronization of a One Identity Safeguard

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for a target system environment. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

Use the One Identity Safeguard synchronization project template to create synchronization projects with which you import the data from a One Identity Safeguard appliance into your One Identity Manager database.

To load objects into the One Identity Manager database for the first time

  1. Prepare a user with sufficient permissions for synchronization in the Privileged Account Management system.

  2. One Identity Manager components for managing Privileged Account Management systems are available if the TargetSystem | PAG configuration parameter is enabled.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with a One Identity Safeguard appliance

The following users play a role in synchronizing One Identity Manager with a One Identity Safeguard appliance.

Table 2: Users for synchronization

User

Permissions

Users for accessing the One Identity Safeguard appliance (synchronization users)

On the appliance, you must provide a user account with the following settings for full synchronization of One Identity Safeguard appliance objects with the supplied One Identity Manager default configuration.

  • Authentication provider Certificate

  • Thumbprint of a certificate saved on the appliance as a trusted certificate

  • Permissions:

    • Authorizer

    • User

    • Help Desk

    • Appliance

    • Operations

    • Asset

    • Directory

    • Security policy

For more information about users and certificates in One Identity Safeguard, see the One Identity Safeguard Administration Guide.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

In the certificate store of the current user, the user account requires the certificate with the private key that is saved on the One Identity Safeguard appliance as a trusted certificate. The certificate must be the same certificate used by the synchronization user.

For more information about certificates in One Identity Safeguard, see the One Identity Safeguard Administration Guide.

NOTE: Access through the NT AUTHORITY\SYSTEM local system account is not supported.

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating