立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Target system managers for PAM systems

A default application role exists for the target system manager in One Identity Manager. Assign identities to this application role who have permission to edit all appliances in One Identity Manager.

Define additional application roles if you want to limit the permissions for target system managers to individual appliances. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates identities to be target system administrators.

  2. These target system administrators add identities to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the Privileged Account Management systems in One Identity Manager.

  3. Target system managers can authorize other identities within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual PAM systems.

Table 30: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add identities that do not have the Primary identity identity type.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other identities within their area of responsibility as target system managers and create child application roles if required.

  • Authorize identities as owners of privileged objects within their area of responsibility.

To initially specify identities to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)

  2. Select the One Identity Manager Administration > Target systems > Administrators category.

  3. Select the Assign identities task.

  4. Assign the identity and save the changes.

To add the first identities to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration > Target systems > Privileged Account Management category.

  3. Select the Assign identities task.

  4. Assign the identities you want and save the changes.

To authorize other identities as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Privileged Account Management > Basic configuration data > Target system managers category.

  3. Select the Assign identities task.

  4. Assign the identities you want and save the changes.

To specify target system managers for individual Privileged Account Management systems

  1. Log in to the Manager as a target system manager.

  2. Select the Privileged Account Management > Appliances category.

  3. Select the appliance in the result list.

  4. Select the Change main data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Privileged Account Management parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign identities to this application role who are permitted to edit the system in One Identity Manager.

Related topics

Job server for PAM-specific process handling

In order to handle target system specific processes in One Identity Manager, the synchronization server and its server functionality must be declared. You have several options for defining a server's functionality:

  • In the Designer, create an entry for the Job server in the Base Data > Installation > Job server category. For more information about this, see the One Identity Manager Configuration Guide.

  • In the Manager, select an entry for the Job server in the Privileged Account Management > Basic configuration data > Server category and edit the Job server's main data.

    Use this task if the Job server has already been declared in One Identity Manager and you want to configure special functions for the Job server.

NOTE: One Identity Manager must be installed, configured, and started in order for a server to perform its function in the One Identity Manager Service network. Proceed as described in the One Identity Manager Installation Guide.

Related topics

Editing PAM Job servers

Use this task if the Job server has already been declared in One Identity Manager and you want to configure special functions for the Job server.

To edit a Job server and its functions

  1. In the Manager, select the Privileged Account Management > Basic configuration data > Server category.

  2. Select the Job server entry in the result list.

  3. Select the Change main data task.

  4. Edit the Job server's main data.

  5. Select the Assign server functions task and specify server functionality.

  6. Save the changes.
Detailed information about this topic

General main data of Job servers

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

NOTE: More properties may be available depending on which modules are installed.

Table 31: Job server properties

Property

Meaning

Server

Job server name.

Full server name

Full server name in accordance with DNS syntax.

Syntax:

<Name of servers>.<Fully qualified domain name>

Target system

Computer account target system.

Language

Language of the server.

Server is cluster

Specifies whether the server maps a cluster.

Server belongs to cluster

Cluster to which the server belongs.

NOTE: The Server is cluster and Server belongs to cluster properties are mutually exclusive.

IP address (IPv6)

Internet protocol version 6 (IPv6) server address.

IP address (IPv4)

Internet protocol version 4 (IPv4) server address.

Copy process (source server)

Permitted copying methods that can be used when this server is the source of a copy action. At present, only copy methods that support the Robocopy and rsync programs are supported.

If no method is given, the One Identity Manager Service determines the operating system of the server during runtime. Replication is then performed with the Robocopy program between servers with a Windows operating system or with the rsync program between servers with a Linux operating system. If the operating systems of the source and destination servers differ, it is important that the right copy method is applied for successful replication. A copy method is chosen that supports both servers.

Copy process (target server)

Permitted copying methods that can be used when this server is the destination of a copy action.

Coding

Character set coding that is used to write files to the server.

Parent Job server

Name of the parent Job server.

Executing server

Name of the executing server. The name of the server that exists physically and where the processes are handled.

This input is evaluated when the One Identity Manager Service is automatically updated. If the server is handling several queues, the process steps are not supplied until all the queues that are being processed on the same server have completed their automatic update.

Queue

Name of the queue to handle the process steps. The process steps are requested by the Job queue using this queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

Server operating system

Operating system of the server. This input is required to resolve the path name for replicating software profiles. The values Win32, Windows, Linux, and Unix are permitted. If no value is specified, Win32 is used.

Service account data

One Identity Manager Service user account information. In order to replicate between non-trusted systems (non-trusted domains, Linux server), the One Identity Manager Service user information has to be declared for the servers in the database. This means that the service account, the service account domain, and the service account password have to be entered for the server.

One Identity Manager Service installed

Specifies whether a One Identity Manager Service is installed on this server. This option is enabled by the QBM_PJobQueueLoad procedure the moment the queue is called for the first time.

The option is not automatically removed. If necessary, you can reset this option manually for servers whose queue is no longer enabled.

Stop One Identity Manager Service

Specifies whether the One Identity Manager Service has stopped. If this option is set for the Job server, the One Identity Manager Service does not process any more tasks.

You can make the service start and stop with the appropriate administrative permissions in the Job Queue Info program. For more information, see the One Identity Manager Process Monitoring and Troubleshooting Guide.

Paused due to unavailability of a target system

Specifies whether task processing for this queue has been stopped because the target system that uses this Job server as a synchronization server is temporarily unavailable. As soon as the target system is available again, processing starts and all outstanding tasks are performed.

For more information about offline mode, see the One Identity Manager Target System Synchronization Reference Guide.

No automatic software update

Specifies whether to exclude the server from automatic software updating.

NOTE: Servers must be manually updated if this option is set.

Software update running

Specifies whether a software update is currently running.

Server function

Server functionality in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级