Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Requesting PAM access requests

By requesting these standard products, access requests to privileged objects of a PAM system can be created. The products are multi-request resources

Table 29: Default objects for requesting access requests

Products

API key request: For requesting API keys for accounts in a PAM system.

Password release request: For requesting passwords for accounts in a PAM system.

Remote desktop application request: For requesting remote desktop applications for assets in a PAM system.

Remote Desktop session request: For requesting remote desktop sessions for assets in a PAM system.

SSH key request: For requesting SSH keys for accounts in a PAM system.

SSH session request: For requesting SSH sessions for assets in a PAM system.

Telnet session request: For requesting Telnet sessions for assets in a PAM system.

Service category:

Privileged access requests

Shelf Identity & Access Lifecycle | Privileged access

Approval procedures:

PG - owners of the requested privileged access request

Approval policies/approval workflows Approval of privileged access requests

The requester provides information about the required access request, such as the product and asset or account to be accessed, together with the time period for the access. The owner of the privileged object for which you are requesting access approves the order. In the PAM system, a corresponding access request is made.

In the request, it is noted whether it was possible to create the access request in the PAM system and whether the access request was approved in the PAM system. The status of an access request is checked at regular intervals in the PAM system by means of the Read status of privileged access requests schedule.

If the access request has been approved, the user can log on to the PAM system and retrieve the required password, or start the required session.

Prerequisites
  • The requester's PAM user account has the entitlement for requesting the access request.

  • In the access request policy, the One Identity Manager enabled option is activated. This allows you to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the request access policy's scope.

  • An application role under Privileged Account Governance | Assets and account owners is assigned to the requestable assets, asset accounts, directory accounts, asset groups, and account groups as the owner.

  • Identities are assigned to the application roles.

  • The Read status of privileged access requests schedule is enabled. Adjust the schedule in the Designer if necessary.

  • The URL of the PAM web application is entered on the appliance. In this way, the users can log in to the PAM System from the Web Portal and retrieve the password or start a session.

For more information about configuring the One Identity Manager IT Shop Administration Guide, see the IT Shop. For more information about requesting access requests in the Web Portal, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

PAM object owners

Owners of privileged objects, such as PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups must be assigned to an application role under the Privileged Account Governance | Asset and account owners application role.

Users with this application role:

  • Make decisions about requesting access requests for privileged objects.

  • Attest the possible user access to these privileged objects.

The PG - Owner of requested privileged access approval procedure takes the application role into account when determining approvers. The OP - Owner of a privileged object approval procedure takes the application role into account when determining attestors.

For more information about approval processes, see the One Identity Manager IT Shop Administration Guide and the One Identity Manager Attestation Administration Guide.

Detailed information about this topic

Automatically determining the owners

Initially, approvers of access request policies automatically become owners of PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups and PAM account groups. This assignment only takes place if an access request policy can be determined for a PAM object.

  • For each access request policy, a new application role is created for the owner under the Privileged Account Governance | Asset and account owners application role.

  • The role approvers of an access request policy are added to the application role.

  • The application is assigned to the PAM asserts, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups within the policy's scope.

  • If there are several access policies defined for a PAM object, the valid application roles are determined through the access request policy's entitlements. The PAM object owners are determined by the following order:

    1. Application roles of access request policies with low priority entitlements

    2. Application roles of access request policies with the lowest priority

NOTE:

  • An application role for owners is only assigned automatically to a PAM object if an application role is not already assigned to the PAM object. Any existing assignment is not changed.

  • Owner are only determined initially. Changes to the role approver of an access request policy are not automatically added to the associated application role. Change the identity assigned to the application manually, if required.

  • Owners cannot be determined for access request policies that are automatically approved in One Identity Safeguard. In this case, assign identities manually to the application role.

Related topics

Manually specifying identities as PAM object owners

In addition to automatically determining the owners, you can specify the owners manually.

To manually specify identities as owners

  1. Log in to Manager as target system manager.

  2. In the Privileged Account Management > Basic configuration data > Asset and account owners category, select the application role.

  3. Select the Assign identities task.

  4. In the Add assignments pane, add identities.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating