立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Executing synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

Master data for account definitions

Enter the following data for an account definition:

Table 8: Master data for an account definition

Property

Description

Account definition

Account definition name.

User account table

Table in the One Identity Manager schema that maps user accounts.

For PAM users, select PAGUser.

Target system

Target system to which the account definition applies.

Required account definition

Required account definition. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is automatically requested or assigned with it.

For a PAM appliance, you can optionally select an Active Directory account definition or an LDAP account definition. In this case, an Active Directory or LDAP user account is first created for the employee. If this user account exists, the PAM user account is created as a directory user.

Description

Text field for additional explanation.

Manage level (initial)

Manage level to use by default when you add new user accounts.

Risk index

Value for evaluating the risk of account definition assignments to employees. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item through which you can request the account definition in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. The account definition can be ordered by an employee over the Web Portal and distributed using a defined approval process. The account definition can also be assigned directly to employees and roles outside the IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. The account definition can be ordered by an employee over the Web Portal and distributed using a defined approval process. This means, the account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to employees

Specifies whether the account definition is assigned automatically to all internal employees. The account definition is assigned to every employee not marked as external, on saving. New employees automatically obtain this account definition as soon as they are added.

IMPORTANT: Only set this option if you can ensure that all current internal employees in the database and all pending newly added internal employees obtain a user account in this target system.

Disable this option to remove automatic assignment of the account definition to all employees. The account definition cannot be reassigned to employees from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently disabled employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment to temporarily disabled employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on deferred deletion

Specifies the account definition assignment on deferred deletion of employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to employees posing a security risk.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping account definitions.

Spare field 01 - spare field 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Editing manage levels

One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged: User accounts with the Unmanaged manage level are linked to the employee but they do no inherit any further properties. When a new user account is added with this manage level and an employee is assigned, some of the employee's properties are transferred initially. If the employee properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned employee. When a new user account is created with this manage level and an employee is assigned, the employee's properties are transferred in an initial state. If the employee properties are changed at a later date, the changes are passed onto the user account.

To edit a manage level

  1. In the Manager, select the Privileged Account Management | Basic configuration data | Account definitions | Manage levels category.

  2. Select the manage level in the result list.

  3. Select the Change master data task.

  4. Edit the manage level's master data.

  5. Save the changes.

Related topics

Creating manage levels

One Identity Manager supplies a default configuration for the Unmanaged and Full managed manage levels. You can define other manage levels depending on your requirements.

IMPORTANT: In the Designer, extend the templates by adding the procedure for the additional manage levels. For detailed information about templates, see the One Identity Manager Configuration Guide.

To create a manage level

  1. In the Manager, select the Privileged Account Management | Basic configuration data | Account definitions | Manage levels category.

  2. Click in the result list.

  3. On the master data form, edit the master data for the manage level.
  4. Save the changes.
Related topics

Master data for manage levels

Enter the following data for a manage level.

Table 9: Master data for manage levels
Property Description

Manage level

Name of the manage level.

Description

Text field for additional explanation.

IT operating data overwrites

Specifies whether user account data formatted from IT operating data is automatically updated. Permitted values are:

  • Never: Data is not updated.

  • Always: Data is always updated.

  • Only initially: Data is only determined at the start.

Retain groups if temporarily disabled

Specifies whether user accounts of temporarily disabled employees retain their group memberships.

Lock user accounts if temporarily disabled

Specifies whether user accounts of temporarily disabled employees are locked.

Retain groups if permanently disabled

Specifies whether user accounts of permanently disabled employees retain group memberships.

Lock user accounts if permanently disabled

Specifies whether user accounts of permanently disabled employees are locked.

Retain groups on deferred deletion

Specifies whether user accounts of employees marked for deletion retain their group memberships.

Lock user accounts if deletion is deferred

Specifies whether user accounts of employees marked for deletion are locked.

Retain groups on security risk

Specifies whether user accounts of employees posing a security risk retain their group memberships.

Lock user accounts if security is at risk

Specifies whether user accounts of employees posing a security risk are locked.

Retain groups if user account disabled

Specifies whether disabled user accounts retain their group memberships.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级