Skip to content

About Privileged Account Management

Privileged Account Management (PAM) refers to managing access to privileged or high-level accounts such as domain administrator accounts, root accounts, or superuser accounts, as well as to critical or sensitive accounts and systems. These privileges are often associated with IT accounts, such as root access to a Unix system or the ability to add or delete email accounts on a Microsoft Exchange application. They can also apply to access to sensitive accounts such as a company's social media, or sensitive assets such as a financial database or list of credit card numbers or security certificates.

By controlling access to privileged accounts, PAM solutions provide a way to protect organizations from accidental or deliberate misuse of privileged access. There are numerous PAM solution providers in the market, such as Thycotic, Leiberman, CyberArk, and BeyondTrust. The details of how access to privileged accounts is managed can vary by solution provider, and might mean different things to different companies. Things like automatic rotation of credentials, time-boxing user access, making passwords invisible to end users, and tracking and auditing actions can all be parts of a PAM solution.

Think of PAM solutions as a library, but instead of books, the library holds privileged accounts. To check a book out of the library you need a library card, but for PAM, you need some kind of credential or authorization to access what is in the library, or vault. ("Vault" is a common term for the logical container of assets protected by PAM.) However, unlike a library card, which gives you access to every book in a library, with PAM your credential might only give you access to a limited set of specific PAM vaults, and not every vault that is managed by the PAM solution.

PAM Terminology

Although specific terms for common PAM concepts vary from vendor to vendor, in general these are the terms you will encounter when working with PAM solutions:

  • Vault or safe: a logical container or folder that contains privileged accounts and passwords. A safe or vault is a container in which you store privileged access, for example, a container for all your company’s Windows administrator accounts, or a container for all Unix root accounts. In IdentityIQ, these are called containers.

  • Privileged Item: a piece of privileged data that is managed by the PAM solution, such an account, credential, file, or key. The types and names of privileged data vary by PAM vendor.

Additional Resources

Privileged Access Management Best Practices

Privileged Access Management Use Cases

Privileged Account Management in IdentityIQ

Note

You must have the SailPoint™ Lifecycle Manager installed to use the Privileged Account Management Module effectively.

The SailPoint IdentityIQ Privileged Account Management (PAM) Module extends identity governance processes and controls to highly privileged access, enabling you to centrally manage access to privileged and non-privileged accounts. It gives you a complete and centralized view of your PAM containers, including which individuals and groups have access to each container, and what privileged items each container holds. It also automates governance controls, enabling you to securely manage access to PAM containers.

IdentityIQ is not a PAM solution per se and does not provide the same features a PAM solution does; rather, the IdentityIQ PAM module integrates with market-leading PAM solution providers (such as Thycotic, Leiberman, CyberArk, and BeyondTrust) to provide governance features that the PAM solutions themselves do not offer. While the native PAM solution determines what is in a container, and IdentityIQ PAM module governs who has access to a container, and what permissions they have in it

The SailPoint IdentityIQ Privileged Account Management Module gives you:

Complete visibility and governance over privileged accounts

By extending identity governance to privileged accounts, enterprises get a 360-degree view over all access, especially high-risk identities with privileged access.

Simplified and centralized administration

With the Privileged Account Management Module, IdentityIQ can serve as a central platform to govern access to both privileged and non-privileged accounts according to established policies. This prevents overprovisioning and limits the risk of providing access to highly privileged accounts to unauthorized users. It also speeds the delivery of privileged access based on user role or lifecycle event changes.

Integration with multiple 3rd-party PAM solutions at once

The IdentityIQ Privileged Account Management Module enables you to deploy multiple instances and integrate with multiple PAM vendors at the same time. The IdentityIQ Privileged Account Management Module provides an open, standards–based integration framework (SCIM) that supports any third-party solution.