Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Specifying server functions

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

NOTE: More server functions may be available depending on which modules are installed.
Table 32: Permitted server functions

Server function

Remark

Update server

This server automatically updates the software on all the other servers. The server requires a direct connection to the database server that One Identity Manager database is installed on. It can run SQL tasks.

The server with the One Identity Manager database installed on it is labeled with this functionality during initial installation of the schema.

SQL processing server

It can run SQL tasks. The server requires a direct connection to the database server that One Identity Manager database is installed on.

Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.

CSV script server

This server can process CSV files using the ScriptComponent process component.

One Identity Manager Service installed

Server on which a One Identity Manager Service is installed.

SMTP host

Server from which One Identity Manager Service sends email notifications. Prerequisite for sending mails using One Identity Manager Service is SMTP host configuration.

Default report server

Server on which reports are generated.

One Identity Safeguard connector

Server on which the One Identity Safeguard connector is installed. This server synchronizes the One Identity Safeguard target system.

Related topics

Configuration parameters for managing a Privileged Account Management system

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 33: Configuration parameters for synchronizing a Privileged Account Management system

Configuration parameters

Meaning if Set

QER | ITShop | AutoPublish | PAGUsrGroup

Preprocessor relevant configuration parameter for automatically adding PAM user groups to the IT Shop. If the parameter is set, all user groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | PAGUsrGroup | ExcludeList

List of all PAM user groups that are not to be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Example: .*Administrator.*|.*Admins|.*Operators

TargetSystem | PAG

Preprocessor relevant configuration parameters for controlling model components for Privileged Account Management system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | PAG | PersonAutoDefault

Mode for automatic identity assignment for user accounts added to the database outside synchronization.

TargetSystem | PAG | PersonAutoDisabledAccounts

Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | PAG | PersonAutoFullsync

Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | PAG | PersonExcludeList

Listing of all user account without automatic identity assignment. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

TargetSystem | PAG | Accounts

Allows configuration of PAM user account data.

TargetSystem | PAG | Accounts | InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo

Identity that receives the email with the random generated password (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the e-mail is sent to the address stored in the TargetSystem | PAG | DefaultAddress configuration parameter.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.

TargetSystem | PAG | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.

TargetSystem | PAG | Accounts | MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.

TargetSystem | PAG | Accounts | PrivilegedAccount

Allows configuration of privileged user account settings.

TargetSystem | PAG | Accounts | TransferJPegPhoto

Specifies whether changes to the identity's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when an identity's main data is changed.

TargetSystem | PAG | HighRiskIndexThreshold

Risk index values higher than this threshold are considered high. Default is 0.5.

TargetSystem | PAG | UnusedThresholdInDays

Number of days after which a privileged object, entitlement, or user is considered unused (default: 90).

TargetSystem | PAG | UserObjectAccessThreshold

Threshold for the number of privileged access permissions per user, above which a user's risk index is increased. Default is 20.

Default project template for One Identity Safeguard

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
Schema Type in One Identity Safeguard Table in the One Identity Manager Schema
Appliance PAGAppliance
IdentityProvider PAGIdentityProvider

AuthenticationProvider

PAGAuthProvider

User PAGUser
UserGroup PAGUsrGroup
Entitlement PAGEntl
AccessRequestPolicy PAGReqPolicy
AccountGroup PAGAccGroup
Asset PAGAsset
AssetAccount PAGAstAccount
AssetGroup PAGAstGroup
Directory PAGDirectory
DirectoryAccount PAGDirAccount

AuditLog

PAGAuditLog

Partition

PAGPartition

Editing One Identity Safeguard system objects

The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.

Table 35: Methods available for editing schema types

Schema type

Read

Paste

Delete

Refresh

Appliance (Appliance)

Yes

No

No

No

User account (User)

Yes

Yes

Yes

Yes

User group (UserGroup)

Yes

No

No

Yes

Identity provider IdentityProvider

Yes

No

No

No

Authentication provider (AuthenticationProvider)

Yes

No

No

No

Directory

Yes

No

No

No

Directory account

(DirectoryAccount)

Yes

No

No

No

Asset (Asset)

Yes

No

No

No

Account (AssetAccount)

Yes

No

No

No

Asset group (AssetGroup)

Yes

No

No

No

Account group (AccountGroup)

Yes

No

No

No

Entitlement (Entitlement)

Yes

No

No

No

Access request policy (AccessRequestPolicy)

Yes

No

No

No

Audit logs

(AuditLog)

Yes

No

No

No

Partitions (Partition)

Yes

No

No

No

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating