PAM entitlements
An entitlement is a set of access request policies that ensures only authorized users can access the system. An entitlement usually groups together a set of permissions that are required to fulfill a specific task.
An entitlement defines which users are authorized to request passwords for accounts or sessions for assets as part of the defined access request policies.
Entitlements are imported into the One Identity Manager database during synchronization. You cannot edit the properties of entitlements. Changes to the object properties of individual entitlements can be re-imported by single object synchronization.
To display the properties of an entitlement
-
In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Entitlements category.
-
Select the entitlement in the result list.
-
Select the Change master data task.
For an entitlement, you see an overview of the user accounts, user groups, and the access request policies associated with the entitlement.
To view an overview of an entitlement
-
In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Entitlements category.
-
Select the entitlement in the result list.
-
Select the PAM entitlement overview task.
Related topics
PAM access request policies
An access request policy defines:
- The scope (meaning, which assets, asset groups, asset accounts, directory accounts, or account groups).
- The access type (password, SSH or remote desktop, Telnet).
- The rules for requesting passwords, for example, the duration or how many approvals are required.
Access request policies are imported into the One Identity Manager database during synchronization. Changes to the object properties of individual access request policies can be re-imported by single object synchronization.
To display the properties of an access request policy
-
In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Entitlements | <Entitlement> category.
-
Select the access request policy in the result list.
-
Select the Change master data task.
For an access request policy, will see an overview of the scope of the access request policy and the entitlements associated with the access request policy.
To obtain an overview of an access request policy
-
In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Entitlements | <Entitlement> category.
-
Select the access request policy in the result list.
-
Select the PAM access request policy overview task.
Related topics
Reports about PAM objects
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for PAM systems.
Table 31: Reports for the target system
|
Overview of all assignments (appliance) |
This report finds all roles containing employees with at least one user account in the appliance. |
|
Overview of all assignments (user groups) |
This report finds all roles containing employees who have the selected user group. |
|
PAM user account and group administration |
This report contains a summary of user account and group distribution in all PAM appliances. You can find the report in the My One Identity Manager | Target system overviews category. |
|
Data quality summary for PAM user accounts |
This report contains different evaluations of user account data quality in all PAM appliances. You can find the report in the My One Identity Manager | Data quality analysis category. |
|
Show orphaned user accounts |
The report shows all the appliance's user accounts that are not assigned an employee. The report contains group memberships and risk assessment. |
|
Show entitlement drifts |
This report shows all appliance's groups, which are the result of manual operations in the target system rather than provisioned by One Identity Manager. |
|
Show unused user accounts |
This report shows all appliance's user accounts that have not been used in the last few months. The report contains group memberships and risk assessment. |
|
Show user accounts with an above average number of system entitlements |
This report contains all appliance's user accounts with an above average number of group memberships. |
|
Show employees with multiple user accounts |
This report shows all employees who own more than one user account in the appliance. The report contains a risk assessment. |
PAM access requests
In One Identity Manager, you can request access requests for assets, asset accounts, directory accounts, asset groups, and account groups in a PAM system. For requesting an access request, the following products are available in IT Shop:
-
Password release request: To request passwords for accounts in a PAM system.
-
SSH session request: To request SSH sessions for assets in a PAM system.
-
Remote Desktop session request: To request remote desktop sessions for assets in a PAM system.
-
Telnet session request: To request Telnet sessions for assets in a PAM system.
The access requests are requested in the Web Portal. After the request is approved, a corresponding access request is created in the PAM system. To check out the requested password or session, the user logs on to the PAM system.
For more detailed information about configuring the IT Shop, see the One Identity Manager IT Shop Administration Guide. For more detailed information about requesting access requests in the Web Portal, see the One Identity Manager Web Portal User Guide.
Detailed information about this topic
