Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Creating account definitions

Create one or more account definitions for the target system.

To create a new account definition

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Account definitions > Account definitions category.

  2. Click in the result list.

  3. On the main data form, enter the main data of the account definition.

  4. Save the changes.

Related topics

Editing account definitions

You can edit the main data of account definitions.

To edit an account definition

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Account definitions > Account definitions category.

  2. Select an account definition in the result list.

  3. Select the Change main data task.

  4. Enter the account definition's main data.

  5. Save the changes.

Related topics

Main data for account definitions

Enter the following data for an account definition:

Table 7: Main data for an account definition

Property

Description

Account definition

Account definition name.

User account table

Table in the One Identity Manager schema that maps user accounts.

For PAM users, select PAGUser.

Target system

Target system to which the account definition applies.

Required account definition

Specifies the required account definition. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is assigned automatically.

For a PAM appliance, you can optionally select an Active Directory account definition or an LDAP account definition. In this case, an Active Directory or LDAP user account is first created for the identity. If this user account exists, the PAM user account is created as a directory user.

Description

Text field for additional explanation.

Manage level (initial)

Manage level to use by default when you add new user accounts.

Risk index

Value for evaluating the risk of assigning the account definition to identities. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item through which you can request the account definition resource in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The resource can also be assigned directly to identities and roles outside the IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to identities

Specifies whether the account definition is automatically assigned to all internal identities. To automatically assign the account definition to all internal identity, use the Enable automatic assignment to identities The account definition is assigned to every identity that is not marked as external. Once a new internal identity is created, they automatically obtain this account definition.

To automatically remove the account definition assignment from all identities, use the Disable automatic assignment to identities. The account definition cannot be reassigned to identities from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently deactivated identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment to temporarily deactivated identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on deferred deletion

Specifies the account definition assignment on deferred deletion of identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to identities posing a security risk.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping account definitions.

Spare field 01 - spare field 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked identity. If the option is set, the user account inherits groups through hierarchical roles, in which the identity is a member, or through IT Shop requests.

  • If you add an identity with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an identity has requested group membership in the IT Shop and the request is granted approval, the identity's user account only inherits the group if the option is set.

Editing manage levels

One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged: User accounts with the Unmanaged manage level are linked to the identity but they do no inherit any further properties. When a new user account is added with this manage level and an identity is assigned, some of the identity's properties are transferred initially. If the identity properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned identity. When a new user account is created with this manage level and an identity is assigned, the identity's properties are transferred in an initial state. If the identity properties are changed at a later date, the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged manage levels are analyzed in templates. You can customize the supplied templates in the Designer.

You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.

Specify how an identity's temporary deactivation, permanent deactivation, deletion, and security risks affect its user accounts and group memberships at each manage level. For more information about manage levels, see the One Identity Manager Target System Base Module Administration Guide.

  • Identity user accounts can be locked when they are disabled, deleted, or rated as a security risk so that permissions are immediately withdrawn. If the identity is reinstated at a later date, the user accounts are also reactivated.

  • You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the identity’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this identity. Existing group memberships are deleted.

To edit a manage level

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Account definitions > Manage levels category.

  2. Select the manage level in the result list.

  3. Select the Change main data task.

  4. Edit the manage level's main data.

  5. Save the changes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating