立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing PAM user accounts and employees Managing the assignments of PAM user groups Login information for PAM user accounts Mapping of PAM objects in One Identity Manager PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

Secondary authentication for PAM user accounts

If multi-factor authentication is required for the user, enter the following main data on the Secondary authentication tab.

Table 24: Secondary authentication of a user account

Property

Description

Secondary authentication

Second authentication provider for requesting multi-factor authentication by the user. All authentication providers that are allowed as secondary authentication providers (PAGAuthProvider table, AllowSecondaryAuth column).

Secondary authentication object

(Only for directory users) Character string for identifying the second authentication object for multi-factor authentication. The input depends on the selected secondary authentication provider.

If the secondary authentication of a user is performed using an Active Directory user account or an LDAP user account, you can select the user account.

To select a user account

  1. To do this, click next to the input field and enter the following information:

    • Table: Table in which the user accounts are mapped. This table is preselected.

      For an Active Directory user account, ADSAccount is selected. For an LDAP user account, LDAPAccount is selected.

    • Secondary authentication object: Select a user account.
  2. Click OK.

Login name

Login name of the PAM user account for secondary authentication.

Administrative entitlements for PAM user accounts

If necessary, on the Entitlements tab, enter the administrator entitlements of the user. For detailed information about administrative entitlements in One Identity Safeguard, see the One Identity Safeguard Administration Guide.

Table 25: Administrative entitlements for a user account

Administrative role

Description

Authorizer

Enables the user to grant permissions to other users.

User

Enables the user to create new users, and to approve and reset passwords for non-administrative users

Help Desk

Enables the user to create and approve passwords for non-administrative users

Appliance

Enables the user to edit, update, and configure the appliance.

Operations

Enables the user to restart the appliance and to monitor the appliance.

Auditor

Provides the user with read-only access.

Asset

Enables the user to add, edit, and delete partitions, assets, and accounts.

Directory

Enables the user to add, edit, and delete directories.

Security policy

Enables the user to add, edit, and delete entitlements and policies that control access to accounts and assets.

Personal password vault

Allows the user to add, edit, delete, share, and access a vault for personal passwords.

Assigning extended properties to PAM user accounts

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For detailed information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for a user account

  1. In the Manager, select the Privileged Account Management > User accounts category.

  2. Select the user account in the result list.

  3. Select Assign extended properties.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  5. Save the changes.

Disabling PAM user accounts

The way you disable user accounts depends on how they are managed.

Scenario:

The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the PAGUser.IsDisabled column.

Scenario:

The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the employee’s user accounts are disabled when the employee is permanently or temporarily disabled.

  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To disable the user account when the configuration parameter is disabled

  1. In the Manager, select the Privileged Account Management > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.
Scenario:

User accounts not linked to employees.

To disable a user account that is no longer linked to an employee

  1. In the Manager, select the Privileged Account Management > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.

For more information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级