Adding and Removing Identities in a PAM Container

System administrators, and other users with the PAM Administrator capability, can manually add or remove identities in a PAM container.

Some global settings for PAM determine whether this option is available and how it works. See PAM Global Configuration Settings for more information on these configuration options.

  • The option to add or remove identities in a PAM containers must be enabled globally. To enable this option, navigate to the gear menu > Global Settings > IdentityIQ Configuration > Privileged Account Management tab, and select the Enable adding and removing identities in PAM containers option.

  • The approval path for additions or deletions of identities in a PAM container is determined by the business process selected for The workflow used to provision identities.

To add or remove identities in a PAM container:

  1. In the Quicklink menu, click Manage Access > Privileged Account Management.

  2. Click View Details for the container whose items you want to modify.

  3. Click Add Identities. Note that you can only add or remove an identity from the Direct Access list; the Effective Access list is view-only.

  4. Choose the identities to add. Note that you can only select identities that have an account on the PAM application associated with this container.

    Note: You can use the Manage Access feature in Lifecycle Manager to request that an account be added for a user on the PAM application, if one does not exist. See Requesting Access for more information.

  5. Click Next.

  6. Select permissions for these users on this container. You may be prompted to select an account, if the user has more than one account on the application.

  7. Click Submit to begin the approval/provisioning process.

  8. To remove identities, click the Remove button beside the identity, and confirm the deletion. You select multiple identities and click Bulk Remove to remove multiple identities at once.

Note: Any approvals that are required by the business process for identity provisioning in PAM must be completed, as part of the addition or removal process.

For details about approval paths and notifications for changes to PAM containers, see Approvals for Changes to PAM Containers and Notifications About Changes to PAM Containers.