立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Web Portal User Guide

General tips and getting started Managing reports Requests
Setting up and configuring request functions Requesting products Managing the Saved for Later list Pending requests Displaying request history Canceling requests Renewing products with limit validity periods Unsubscribing products Displaying requests Undoing approvals Managing request inquiries directed at you
Attestation
Managing attestations Pending attestations Displaying attestation history Managing attestation inquiries directed at you
Compliance Managing risk index functions Responsibilities
My responsibilities
Managing my departments Managing my application roles Managing my devices Managing my business roles Managing my identities Managing my cost centers Managing my multi-request resources Managing my multi requestable/unsubscribable resources Managing my resources Managing my software applications Managing my locations Managing my system entitlements Managing my system roles Managing my assignment resources
Managing task delegations Ownerships
Managing data
Managing departments Managing user accounts Managing business roles Managing identities Managing cost centers Managing multi-request resources Managing multi requestable/unsubscribable resources Managing resources Managing locations Managing system entitlements Managing system roles Managing assignment resources
Opening other web applications Managing tickets Appendix: Attestation conditions and approval policies from attestation procedures

Requesting privileged access

You can use the Privileged access requests service category to request privileged access to high-security systems (Privileged Account Management systems).

TIP: For more information on the topic of Privileged Account Management, see the One Identity Manager Administration Guide for Privileged Account Governance.

To request privileged access

  1. In the menu bar, click Requests > New request.

  2. On the New Request page, in the Service Categories pane, click the Privileged Access Requests service category.

  3. Select how you want to access the system by selecting the check box in front of the corresponding option:

    • Password release request: Request a temporary password.

    • Remote desktop session request: Request temporary access through a remote desktop connection.

    • SSH key request: Request temporarily valid SSH key.

    • SSH session request: Request temporary access through an SSH session.

    • Telnet session requests: Request temporary access using a Telnet session.

  4. Click Add to cart.

  5. In the Request Details pane, expand the selected product.

  6. In the PAM user account menu, select the PAM user account that you want to use for PAM access.

  7. Depending on the type of access you have selected, perform one of the following actions:

    • Password request or SSH key request:

      1. In the System to access field, click Select.

      2. In the Edit Property pane, select whether you want to request access for a PAM asset or a PAM directory.

      3. Next to the corresponding PAM directory or PAM asset, click Select.

    • Remote desktop session request, SSH session request, or Telnet session request: In the System to access, select the corresponding PAM asset.

  8. Perform the following actions:

    1. In the Account to access field, click Select.

    2. In the Edit Property pane, select whether you want to request access for a PAM asset account or a PAM directory account.

    3. Next to the corresponding PAM asset account or PAM directory account, click Select.

  9. (Optional) In the Comment field, enter a comment, for example, to justify why you are requesting this access.

  10. In the Valid from field, specify the time from which you want the access to be valid or clear the check box so that access is valid from the time of this request.

  11. In Checkout duration, enter the number of minutes for which the access is valid.

    NOTE: This duration refers to your entry in the Valid from field. For example, if you have specified that the access is valid from 12 noon tomorrow and should be valid for 60 minutes, then the validity period will expire at 1 pm tomorrow.

  12. Click Apply.

  13. (Optional) Repeat the steps for all other users and access types.

  14. Click Submit.

  15. Click Go to cart.

  16. On the Shopping Cart page, click Submit.

    TIP: You can also add more products to your shopping cart and configure various settings. For more information, see Managing products in the shopping cart.

    Once the request has been approved, a button will appear in the request details pane of the request history (see Displaying request history) that you can use to log in to the Privileged Account Management system to obtain the login credentials.

Related topics

Requests for Active Directory groups

To manage Active Directory groups, you can make different requests.

Detailed information about this topic

Requesting new Active Directory groups

To create a new Active Directory group, you must request either the Create an Active Directory security group product or the Create an Active Directory distribution group product.

To request a new Active Directory group

  1. In the menu bar, click Requests > New request.

  2. On the New Request page, in the Service Categories pane, click the Active Directory groups service category.

  3. Perform one of the following actions:

    • To request a new Active Directory security group, select the check box next to New Active Directory security group.

    • To request a new Active Directory distribution group, select the check box next to New Active Directory distribution group.

  4. Click Add to cart.

  5. In the Request Details pane, perform one of the following actions:

    • As a requester without responsibility for the target system, enter a name for the new group in the Suggested name field.

    • As the target system manager, provide additional details about the new group:

      • Name: Enter a name for the group.

      • Group scope: Select the scope that specifies the range of the group's usage within the domain or forest. The group's scope specifies where the group is allowed to issue permissions. You can select one of the following group scopes:

        • Global group: Global groups can be used to provide cross-domain authorizations. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

        • Local: Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

        • Universal: Universal groups can be used to provide cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

      • Container: Click Select and select a container for the group.

  6. Click Apply.

  7. Click Submit.

    TIP: You can also add more products to your shopping cart and configure various settings. For more information, see Managing products in the shopping cart.

  8. Click Go to cart.

  9. On the Shopping Cart page, click Submit.

Related topics

Requesting changes to Active Directory groups

To change the type or scope of Active Directory groups, you must request the Change an Active Directory group product.

To change an Active Directory group

  1. In the menu bar, click Requests > New request.

  2. On the New Request page, in the Service Categories pane, click the Active Directory groups service category.

  3. Select the check box next to Modify Active Directory group.

  4. Click Add to cart.

  5. In the Request Details pane, in the Active Directory group menu, select the Active Directory group that you want to change.

  6. (Optional) In the Group scope menu, select the scope that specifies the range of the group's usage within the domain or forest. The group's scope specifies where the group is allowed to issue permissions. You can select one of the following group scopes:

    • Global group: Global groups can be used to provide cross-domain authorizations. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

    • Local: Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

    • Universal: Universal groups can be used to provide cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

  7. (Optional) In the Type menu, select the type of Active Directory group (security or distribution group).

  8. Click Apply.

  9. Click Submit.

    TIP: You can also add more products to your shopping cart and configure various settings. For more information, see Managing products in the shopping cart.

  10. Click Go to cart.

  11. On the Shopping Cart page, click Submit.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级