Activating the Privileged Account Management Module

To activate the PAM module:

Log on to IdentityIQ as an administrator.
Click gear > Global Settings and select Import from File.
Click Browse and browse to the following directory:

IdentityIQ_home\WEB-INF\config

where IdentityIQ_home is the directory in which you extracted the IdentityIQ.war file during the IdentityIQ installation procedure.
Select the init-pam.xml file and click Import.
When the import is complete, click Done.

The PAM features are now active inside of the IdentityIQ product.

Components Installed with the PAM Module

The installed PAM components include:

Business Processes

PAM Approval Subprocess

Approval sub-process for PAM requests. This generates approvals based on the approvalScheme, audits the approval decisions, and returns the approved status.

PAM Identity Provisioning

The business process that handles provisioning of identities for PAM.

PAM Identity Provisioning Notify

This subprocess handles notification from the PAM provisioning workflows.

PAM Initialize

This subprocess initializes the various objects necessary when executing the PAM workflow. This creates the ProvisioningProject and IdentityRequest.

PAM Request Finalize

This subprocess handles the final step from the PAM business processes.

Email Templates

PAM Approval

Notifies approvers when they need to approve a request changes a user's permissions on a PAM container.

PAM Manager Notification

Notifies managers when an employee's access to PAM containers is modified.

PAM Requester Notification

Notifies requesters when their requests for PAM access modification are completed.

PAM User Notification

Notifies users when they are given access or removed to a PAM container.

User Capabilities

PAM Administrator

Gives users full access to all PAM module functionality; this capability is assigned by default to members of the PAMAdministrator Dynamic Scope/Quicklink Population, and can also be assigned directly to individual users.

PAM Viewer

Gives read-only access to PAM features and information.

Dynamic Scope

PAMAdministrator

Lets associated users see and use the Quicklink that grants access to PAM functionality.

Quicklink

Privileged Account Management

The Quicklink menu item available by default to members of the PAMAdministrator Dynamic Scope. This Quicklink appears in the main menu under Manage Access > Privileged Account Managment. In the Debug pages, this Quicklink object is named View PAM Container List.

Audit Event

Approve PAM Request / Reject PAM Request

You can select these in the gear menu > Global Settings > Audit Configuration page if you want to audit PAM-related events.

Rules

PAM Group Refresh

This rule make external groups non-requestable. You might want to make external groups non-requestable if, for example, your organization's process is for group membership to be requestable through an external application such as Active Directory, which is a common use case

Map Demodata PAM Application Names

A sample rule included in the examplerules.xml file in the [installdir]\WEB-INF\config directory. PAM solutions have the concept of "external" users and groups: accounts and groups that are defined in an external system such as Active Directory, and are used within the PAM system to control access. When these objects are aggregated from the PAM system, they include a source attribute for the name of the external system from which they came (the name used by the PAM system). When stored as Links and ManagedAttributes, these names need to match the Application name. This rule maps the name as known on the external system to a name that can be used locally.

Application Types

Privileged Account Management application (connector) type

Aggregates users, groups, and containers into IdentityIQ.

Privileged Account Management collector type

Reads in permissions users have on containers, and can write permissions back to the target system.