Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Displaying main data of PAM access request policies

Only selected properties of access request policies can be edited in One Identity Manager. You can configure the access request policies so that access requests can be requested for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

To display the properties of an access request policy

  1. In the Manager, select the Privileged Account Management > Appliances > <Appliance> > Entitlements > <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the Change main data task.

Related topics

Reports about PAM objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for PAM systems.

Table 27: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

User group

This report finds all roles containing identities who have the selected system entitlement.

Show overview

User group

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

User group

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

User group

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show entitlement drifts

Appliance

This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager.

Show user accounts overview (incl. history)

Appliance

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts with an above average number of system entitlements

Appliance

This report contains all user accounts with an above average number of system entitlements.

Show identities with multiple user accounts

Appliance

This report shows all the identities that have multiple user accounts. The report contains a risk assessment.

Show system entitlements overview (incl. history)

Appliance

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Appliance

This report finds all roles containing identities with at least one user account in the selected target system.

Show unused user accounts

Appliance

This report contains all user accounts, which have not been used in the last few months.

Show orphaned user accounts

Appliance

This report shows all user accounts to which no identity is assigned.

Table 28: Additional reports for the target system

Report

Description

PAM user account and group administration

This report contains a summary of user account and group distribution in all PAM appliances. You can find the report in the My One Identity Manager > Target system overviews category.

Data quality summary for PAM user accounts

This report contains different evaluations of user account data quality in all PAM appliances. You can find the report in the My One Identity Manager > Data quality analysis category.

Overview of identity's privileged access.

The report contains detailed information about personal and organizational data as well as the identity's current privileged access. The report is displayed for identities.

PAM access requests

In One Identity Manager, you can request access requests for assets, asset accounts, directory accounts, asset groups, and account groups in a PAM system. For requesting an access request, the following products are available in IT Shop:

  • API key request: For requesting API keys for accounts in a PAM system.

  • Password release request: For requesting passwords for accounts in a PAM system.

  • Remote desktop application request: For requesting remote desktop applications for assets in a PAM system.

  • Remote Desktop session request: For requesting remote desktop sessions for assets in a PAM system.

  • SSH key request: For requesting SSH keys for accounts in a PAM system.

  • SSH session request: For requesting SSH sessions for assets in a PAM system.

  • Telnet session request: For requesting Telnet sessions for assets in a PAM system.

The access requests are requested in the Web Portal. After the request is approved, a corresponding access request is created in the PAM system. To check out the requested password or session, the user logs on to the PAM system.

For more information about configuring the IT Shop, see the One Identity Manager IT Shop Administration Guide. For more information about requesting access requests in Web Portal, please refer to the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

System requirements for requesting PAM access requests

The access requests in the PAM system are created in process and script processing. The Job server must have the same configuration as the synchronization server (in terms of the installed software and the entitlements and certificates of the user account). Use the synchronization server.

In One Identity Safeguard, the following system prerequisites must be guaranteed:

  • The application-to-application service is enabled.

  • An application with the following properties has been registered and activated:

    • Name: One Identity Manager

    • Certificate user: Users for access to the One Identity Safeguard appliance (synchronization user)

    • Access request broker: Activated

      At least one user or user group for which One Identity Safeguard will determine the access must be assigned to the access request broker.

      This list is updated when access requests are created by the One Identity Manager.

  • To generate valid access requests whenever possible, do not set time restrictions on the entitlements and access request policies.

For more information about setting up the application to application service in One Identity Safeguard and configuring the entitlements and access request policies, see the One Identity Safeguard Administration Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating