立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Editing main data of PAM user groups

Groups are loaded into One Identity Manager by synchronization. You can edit existing groups in One Identity Manager.

To edit group main data

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. On the main data form, edit the main data of the group.

  5. Save the changes.
Related topics

General main data of PAM user accounts

Enter the following general main data.

Table 25: General main data of a user group

Property

Description

Name

Name of the user group

Appliance Appliance to which the user group belongs.

Service item

Service item data for requesting the group through the IT Shop.

IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Authentication provider

Directory name (only for directory groups).

Target system group Group in Active Directory or LDAP (only for directory groups).
Read only memberships The directory group is read-only (only for directory groups). The memberships are maintained in the directory, for example in Active Directory or LDAP.

Created on

Time at which the user account was created.

Created by

User who created the user account.
Related topics

Administrative entitlements for PAM user groups

If necessary, set the user group's administrative permissions. The permissions apply to users in the user group.

Administrative permissions forPAM user groups are supported as from One Identity Safeguard 7.0. For more information about administrative permissions in One Identity Safeguard, see the One Identity Safeguard Administration Guide.

Table 26: Administrative permissions for a user group

Administrative role

Description

Authorizer

Allows group users to share permissions with other users.

Users

Allows group users to create new users, and to unlock and reset passwords of non-administrative users.

Help Desk

Allows group users to unlock and reset passwords of non-administrative users.

Appliance

Allows group users to edit, update, and configure the appliance.

Operations

Allows group users to restart and monitor the appliance.

Auditor

Allows group users read-only access.

Asset

Allows group users to add, edit, and delete partitions, assets, and accounts.

Directory

Allows group users to add, edit, and delete directories.

Security policy

Allows group users to add, edit, and delete permissions and policies that control access to accounts and assets.

Personal password vault

Allows group users to add, edit, delete, share, and access a vault for personal passwords.

Related topics

Assigning extended properties to PAM user groups

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For more information about setting up extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for a group

  1. In the Manager, select the Privileged Account Management > User groups category.

  2. Select the group in the result list.

  3. Select Assign extended properties.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  5. Save the changes.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级