立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - Administration Guide for Privileged Account Governance

Mapping a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Executing synchronization Tasks after a synchronization Troubleshooting
Managing PAM user accounts and employees Managing the assignments of PAM user groups Provision of login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for the management of a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects Known issues about connecting One Identity Safeguard appliances About us

Manually specifying employees as PAM object owners

To manually specify employees as owners

  1. Log in to Manager as target system manager.

  2. In the Privileged Account Management | Basic configuration data | Asset and account owners category, select the application role.

  3. Select the Assign employees task.

  4. In the Add assignments pane, add employees.

    TIP: In the Remove assignments pane, you can remove assigned employees.

    To remove an assignment

    • Select the employee and double-click .
  5. Save the changes.

Manually specifying application roles for PAM object owners

To specify an application role for a PAM object owner

  1. In the Manager, select one of the following filters in the Privileged Account Management | Appliances | <Appliance> | Privileged objects category.

    • To specify an application role for an asset, select Assets.

    • To specify an application role for an asset group. select Asset group.

    • To specify an application role for an asset account, select Asset account.

    • To specify an application role for a directory account, select Directory account.

    • To specify an application role for an account group, select Account group.

  2. In the result list, select the PAM object.

  3. Select the Change master data task.

  4. On the General tab, select the application role in the Owner (Application Role) selection list.

    - OR -

    Next to the Owner (Application Role) list, click on to create a new application role.

    1. Enter the application role name and assign the Privileged Account Governance | Asset and account owners parent application role.

    2. Click OK to add the new application role.

  5. Assign employees, who are owners, to the application role.
Related topics

Configuring PAM access request policies

Access requests for assets, asset accounts, directory accounts, asset groups, and account groups can only be requested if the One Identity Manager enabled option is activated in the access request policy.

To configure the access request policy

  1. In the Manager, select the Privileged Account Management | Appliances | <Appliance> | Entitlements | <Entitlement> category.

  2. Select the access request policy in the result list.

  3. Select the Change master data task.

  4. On the General tab, check the One Identity Manager enabled option.

    • If this option is set, access requests can be requested for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

    • If this option is not set, is not possible to request access requests for assets, asset accounts, directory accounts, asset groups, and account groups that are within the access request policy's scope.

Related topics

Handling of PAM objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal. The Web Portal supports the administration of a Privileged Account Management system for the following tasks:

  • Managing user accounts and employees

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval procedure. The user account is not created until it has been agreed by an authorized person, such as a manager.

  • Managing the assignments of user groups

    When a group is assigned to an IT Shop shelf, the group can be requested by the customers of the shop in the Web Portal. The request undergoes a defined approval procedure. The group is not assigned until it has been approved by an authorized person.

    In the Web Portal, managers and administrators of organizations can assign groups to the departments, cost centers, or locations for which they are responsible. The groups are passed on to all persons who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, managers, and administrators of business roles can assign groups in the Web Portal to the business roles for which they are responsible. The groups are passed on to all persons who are members of these business roles.

    If the System Roles Module is available, supervisors of system roles can assign groups to the system roles in the Web Portal. The groups are passed on to all persons to whom these system roles are assigned.

  • Managing access requests to privileged objects

    Using the Identity & Access Lifecycle | Privileged access IT Shop shelf, you can request password and session requests for privileged objects of a PAM system. The request undergoes a defined approval procedure. The owner of the privileged object for which you are requesting access approves the order. In the PAM system, a corresponding access request is made. If you were able to successfully create the access request, the user can log on to the PAM system and call the required password, or start the required session.

  • Attestation

    If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. The owners of privileged objects attest the possible user access to these privileged objects. To enable this, attestation policies are configured in the Manager. The attesters use the Web Portal to approve attestation cases.

  • Governance administration

    If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check and resolve rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of groups to evaluate the risk of entitlement assignments for the company. One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the employees, user accounts, and their entitlements and risks.

For more information about the named topics, see Managing PAM user accounts and employees, Assigning PAM user groups to PAM user accounts in One Identity Manager, PAM access requests and refer to the following guides:

  • One Identity Manager Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级