Configuring a PAM Application

The PAM module includes a PAM-specific application (connector) type: Privileged Account Management. To use the PAM feature, configure a PAM application to connect to each of your PAM vendor systems.

Applications should be configured to include both a connector and a target collector.

  • The connector aggregates users, groups, and containers into IdentityIQ.

  • The target collector reads in permissions users have on containers, and can write permissions back to the target system.

Important: The PAM connector type is based on IdentityIQ's SCIM 2.0 connector, with special schemas, object types, and policies. The SCIM 2.0 Connector documentation, which is available in the SailPoint documentation portal, gives detailed information about all the configuration parameters in this application definition. The information below provides some essential and PAM-specific information about configuring PAM applications.

To configure a PAM application:

  1. Click Applications > Application Definition > Add New Application.

  2. Enter a Name and Owner for the PAM application.

  3. For Application Type choose Privileged Account Management

  4. On the Configuration tab, click Settings to enter connection information. Note the following:

    • The Base URL is the URL to the PAM vendor's SCIM server.

    • The PAM connector type supports several methods for authentication. These are discussed in detail in Configuring Authentication for the PAM Application

    • Note: For Thycotic implementations, it is not recommended that you select the Explicit Attribute Request setting, as this may cause issues when aggregating.

  5. Also on the Settings tab, add Permissions; these are the container permissions that will display for the PAM container in the PAM UI. The permissions you enter here should correspond to the permissions used by the vendor's PAM application, and will vary depending on vendor. To add a permission, type the permission name in the Permissions field and click the plus icon to add it.

  6. On the Provisioning Policies tab, edit the out-of-the-box policies for creating accounts and creating containers as needed. These policies determine which fields are presented to users when adding accounts or containers, and can also determine how container information is displayed in the Entitlement Catalog.

  7. Set up an Unstructured Target Collector for the application. This will aggregate permissions users and groups have on containers.

    1. Click the Unstructured Targets tab.

    2. Click Add New Unstructured Data Source.

    3. An Add or Create dialog appears. Click Create TargetSource.

    4. Enter a Name (required) and Description (optional).

    5. Choose or create a Correlation Rule for correlating the data. You can use the PAM Access Mapping Correlation Rule which is provided out of the box, or create your own rule.

    6. For Target Source Type, choose Privileged Account Management Collector.

    7. A new set of SCIM Settings fields is displayed. For the Base URL, enter the URL to the PAM vendor's SCIM server. For details on authentication settings, see Configuring Authentication for the PAM Application. For other fields, refer to the SCIM 2.0 Connector documentation.

    8. Save the data source.

  8. Optional: On the Rules tab, choose rules for managing your PAM application:

    • You can create a Customization Rule on the application to map external application names to internal IdentityIQ application names, and / or external users to IdentityIQ identities.

    • You can use the PAM Group Refresh rule (included with the PAM module) to make external groups non-requestable. You might want to make external groups non-requestable if, for example, your organization's process is for group membership to be requestable through an external application such as Active Directory; this is a common use case.

  9. Save the Application definition.