Approvals for Changes to PAM Containers

Changes to PAM containers follow an approval path that is defined by a business process. The approval process varies, depending on what is being changed in the PAM container: identities, or items.

Approvals for Changes to Identities in a PAM Container

The business process for managing PAM container approvals is set in gear > Global Settings > IdentityIQ Configuration on the Privileged Account Management tab. By default, IdentityIQ uses the out-of-the-box PAM Identity Provisioning business process for these approvals.

The PAM Identity Provisioning business process routes approvals for changes to identities in a PAM container to the identity's manager. This behavior can be changed by modifying the approvalScheme variable in the business process.

The business process can specify a single value for the approver, or can specify several values in a comma-separated list. If multiple values are provided, the order in which they are listed in the comma-separated list determines the order in which they are processed.

Approver options include:

  • Manager – the identity's manager gets the approval item

  • None – approvals are disabled

  • Identity – the identities/workgroups in the variable approvingIdentities get the approval item.

  • Owner – the owner of the container gets the approval item. If the container has no owner, then the application owner gets the approval item.

Electronic Signatures

The PAM Identity Provisioning business process supports the use of electronic signatures for approvals. Use these process variables in the business process to specify electronic signature objects, as needed:

  • managerElectronicSignature

  • identityElectronicSignature

  • ownerElectronicSignature

Approvals for Changes to Items in a PAM Container

Approvals for changes to the items in a PAM container are managed by the Entitlement Update business process. If an owner is defined for a PAM Container, by default approvals for changes to the items in a container will go to the container's owner. If no owner is defined for a container, approvals will go to the owner of the application associated with the container.

Container owners can be aggregated from the PAM application and can also be manually added to a container through the Entitlement Catalog.

For more information about the Entitlement Catalog, see Entitlement Catalog.

For more information about configuring the PAM application, see Configuring a PAM Application. For more information on aggregating PAM data, see Privileged Account Management Tasks: Aggregation, Indexing, and Refresh.

Fallback Approvers for Changes to a PAM Container

You can also set a fallback approver for both the PAM Identity Provisioning business process and the Entitlement Update business process. A fallback approver is an identity or workgroup that will handle approvals in cases where the designated approver can not be resolved. For example, if the business process specifies "manager" as the approver, but an identity does not have an assigned manager, a fallback approver (if one has been set) will handle approvals for that identity.