Activating the Privileged Account Management Module

To activate the PAM module:

  1. Log on to IdentityIQ as an administrator.

  2. Click gear > Global Settings and select Import from File.

  3. Click Browse and browse to the following directory:

    IdentityIQ_home\WEB-INF\config

    where IdentityIQ_home is the directory in which you extracted the IdentityIQ.war file during the IdentityIQ installation procedure.

  4. Select the init-pam.xml file and click Import.

  5. When the import is complete, click Done.

The PAM features are now active inside of the IdentityIQ product.

Components Installed with the PAM Module

The installed PAM components include:

PAM Approval Subprocess

Approval subprocess for PAM requests. This generates approvals based on the approvalScheme, audits the approval decisions, and returns the approved status.

PAM Identity Provisioning

The business process that handles provisioning of identities for PAM.

PAM Identity Provisioning Notify

This subprocess handles notification from the PAM provisioning workflows.

PAM Initialize

This subprocess initializes the various objects necessary when executing the PAM workflow. This creates the ProvisioningProject and IdentityRequest.

PAM Request Finalize

This subprocess handles the final step from the PAM business processes.

PAM Approval

Notifies approvers when they need to approve a request changes a user's permissions on a PAM container.

PAM Manager Notification

Notifies managers when an employee's access to PAM containers is modified.

PAM Requester Notification

Notifies requesters when their requests for PAM access modification are completed.

PAM User Notification

Notifies users when they are given access or removed to a PAM container.

PAM Administrator

Gives users full access to all PAM module functionality; this capability is assigned by default to members of the PAMAdministrator Dynamic Scope/Quicklink Population, and can also be assigned directly to individual users.

PAM Viewer

Gives read-only access to PAM features and information.

PAMAdministrator

Lets associated users see and use the Quicklink that grants access to PAM functionality.

Privileged Account Management

The Quicklink menu item available by default to members of the PAMAdministrator Dynamic Scope. This Quicklink appears in the main menu under Manage Access > Privileged Account Managment. In the Debug pages, this Quicklink object is named View PAM Container List.

Approve PAM Request / Reject PAM Request

You can select these in the gear menu > Global Settings > Audit Configuration page if you want to audit PAM-related events.

PAM Group Refresh

This rule make external groups non-requestable. You might want to make external groups non-requestable if, for example, your organization's process is for group membership to be requestable through an external application such as Active Directory, which is a common use case

Map Demodata PAM Application Names

A sample rule included in the examplerules.xml file in the [installdir]\WEB-INF\config directory. PAM solutions have the concept of "external" users and groups: accounts and groups that are defined in an external system such as Active Directory, and are used within the PAM system to control access. When these objects are aggregated from the PAM system, they include a source attribute for the name of the external system from which they came (the name used by the PAM system). When stored as Links and ManagedAttributes, these names need to match the Application name. This rule maps the name as known on the external system to a name that can be used locally.

Privileged Account Management application (connector) type

Aggregates users, groups, and containers into IdentityIQ.

Privileged Account Management collector type

Reads in permissions users have on containers, and can write permissions back to the target system.

PAM Module Solution Provider's supported features

When PAM module is configured with CyberArk Shared Services, it supports a variety of features listed below:

This section gives an overview of configuration and supported features for CyberArk Shared Services

Prerequisites

For installing and setting up the CyberArk Shared Services, refer to the CyberArk Shared Services guide for configuring Identity SCIM Server: https://docs.cyberark.com/Idaptive/Latest/en/Content/Integrations/CyberArk-SCIM-PCloud.htm

Administrator Permissions:

For information on Administrator Permissions refer to the guide: https://docs.cyberark.com/Idaptive/Latest/en/Content/Developer/scim-management/scim-server-configuration.htm

The CyberArk Shared Services configured with the PAM module supports these features:

Supported Feature Lists:

  • Create Users (Local Users)

  • Add/Remove Users to Groups

  • Delete Users

  • Enable/Disable Users

  • Create Safes/Containers

  • Add Users to Safes and assign Safes Permissions

  • Modify Safes Permissions assigned to Users

  • Remove Safes Permissions assigned to Users

  • Aggregate Privilege Data assigned to Containers

  • Delete Safes

Known Issues/Features Not Applicable:

  • For performing any modify operation on any endpoint, PUT method is used by the connectors as CyberArk Shared Services supports only PUT method.

  • All Use Cases which relate to Privileged Data Permissions endpoint are not applicable as CyberArk Shared Services does not support this endpoint.