Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Managing assignments of PAM user groups

To enable the requesting of, for example, a password for an asset account or a session for the accounts and assets in the Privileged Account Management system, users require the necessary entitlements. To simplify the administration, user accounts can be grouped into user groups. Through the user groups, user accounts receive the entitlements for requesting passwords or sessions.

In One Identity Manager, you can assign the user groups directly to the user accounts, or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the user groups through the Web Portal. To do this, the user groups are provided in the IT Shop.

The assignment of entitlements to user groups is not performed in One Identity Manager but in the Privileged Account Management.

Detailed information about this topic

Assigning PAM user groups to PAM user accounts in One Identity Manager

In One Identity Manager, PAM user groups can be assigned directly or indirectly to user accounts.

In the case of indirect assignment, identities and PAM user groups are classified in hierarchical roles. The number of PAM user groups assigned to an identity is calculated from the position in the hierarchy and the direction of inheritance. If the identity has a PAM user account, this PAM user account is assigned the PAM user groups.

User groups can also be requested in the Web Portal. To do this, add identities to a shop as customers. All PAM user groups that are assigned to this shop as products can be requested by the customers. Requested PAM user groups are assigned to the identities after approval is granted.

You can use system roles to group PAM user groups together and assign them to identities as a package. You can create system roles that contain only PAM user groups. You can also group any number of company resources into a system role.

To react quickly to special requests, you can also assign the PAM user groups directly to PAM user accounts.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of PAM groups to PAM user accounts

In the case of indirect assignment, identities and PAM groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning PAM groups indirectly, check the following settings and modify them if necessary.

  1. Assignment of identities and PAM user groups is permitted for role classes (departments, cost centers, locations, or business roles).

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

    ClosedAllow assignments to role classes of departments, cost centers, locations, or roles

  2. Settings for assigning PAM user groups to PAM user accounts.

    • The PAM user account is labeled with the Groups can be inherited option.

    • The PAM user account is linked to an identity.

    • The PAM user account and the PAM user group belong to the same appliance.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of identities not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Assigning PAM user groups to departments, cost centers, and locations

Assign the PAM user groups to departments, cost centers, or locations so that the PAM user group can be assigned to PAM user accounts through these organizations.

To assign a group to departments, cost centers, or locations (non role-based login)

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select the group in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign groups to a department, cost center, or location (role-based login)

  1. In the Manager, select the Organizations > Departments category.

    - OR -

    In the Manager, select the Organizations > Cost centers category.

    - OR -

    In the Manager, select the Organizations > Locations category.

  2. Select the department, cost center, or location in the result list.

  3. Select the Assign PAM user groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating