立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Contact information for PAM user accounts

Enter the following main data: You can only enter contact data that uses a local identity provider.

Table 22: Contact data for a user account

Property

Description

First name

The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Phone

Telephone number. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Mobile phone

Mobile number. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Email address

User account email address. If you assigned an account definition, the email address is made up of the identity’s default email address depending on the manage level of the user account.

If OneLogin multifactor authentication is used a secondary authorization, the email address must match the email address in OneLogin.

Description

Text field for additional explanation.

Secondary authentication for PAM user accounts

If multifactor authentication is required for the user, enter the following main data.

Table 23: Secondary authentication of a user account

Property

Description

Secondary authentication

Second authentication provider for requesting multi-factor authentication by the user. All authentication providers that are allowed as secondary authentication providers (PAGAuthProvider table, AllowSecondaryAuth column).

Secondary authentication object

(Only for directory users) Character string for identifying the second authentication object for multi-factor authentication. The input depends on the selected secondary authentication provider.

If the secondary authentication of a user is performed using an Active Directory user account or an LDAP user account, you can select the user account.

To select a user account

  1. To do this, click next to the input field and enter the following information:

    • Table: Table in which the user accounts are mapped. This table is preselected.

      For an Active Directory user account, ADSAccount is selected. For an LDAP user account, LDAPAccount is selected.

    • Secondary authentication object: Select a user account.
  2. Click OK.

Login name

Login name of the PAM user account for secondary authentication.

Administrative entitlements for PAM user accounts

If necessary, set the user's administrative permissions.

Table 24: Administrative entitlements for a user account

Administrative role

Description

Authorizer

Enables the user to grant permissions to other users.

User

Enables the user to create new users, and to approve and reset passwords for non-administrative users

Help Desk

Enables the user to create and approve passwords for non-administrative users

Appliance

Enables the user to edit, update, and configure the appliance.

Operations

Enables the user to restart the appliance and to monitor the appliance.

Auditor

Provides the user with read-only access.

Asset

Enables the user to add, edit, and delete partitions, assets, and accounts.

Directory

Enables the user to add, edit, and delete directories.

Security policy

Enables the user to add, edit, and delete entitlements and policies that control access to accounts and assets.

Personal password vault

Allows the user to add, edit, delete, share, and access a vault for personal passwords.

Related topics

Assigning extended properties to PAM user accounts

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For more information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for a user account

  1. In the Manager, select the Privileged Account Management > User accounts category.

  2. Select the user account in the result list.

  3. Select Assign extended properties.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  5. Save the changes.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级