One Identity Manager | Privileged Account Governance #2 | Questions and Answers

Last but not least, which functions exists in One Identity Manager if a privileged account governance module is there? First of all, we synchronize the data out of Safeguard. And with that, we can handle all this Safeguard data in the Identity Manager in case of reporting, for example, or use them in processes. Provisioning is possible in Safeguard to admin users and Safeguard groups. This is what identity management is doing everywhere in every target system. It's managing accounts and groups. And the same thing it's then possible in Safeguard. And all of this management could then be included into these requests and approval processes, and whatever else is typical for identity management. Additionally, [INAUDIBLE] because the Identity Manager always looks for resource owners. It is possible for resource owners, as well, to handle their resources and to assign these resource owners to specific processes. Request passwords and check-out sessions, it's not really possible the Identity Manager. But you can request for passwords and for sessions in the Identity Manager. And then you will get, for example, an email with a link. And this link will then lead you to a Safeguard where you can checkout your password because the complete ordering process was done there. By the way, the ordering process and the Identity Manager can replace the ordering process in Safeguard if necessary. But typically and out of the box, it includes the same process. That means there is something configured for admins in Safeguard which is then the approval process there. And this could be enriched with the approval process in the Identity Manager. And at the end, then you will have a full picture. In the next step, we can use the data of Safeguard to include them or consider them in compliance processes. That means on the one hand side company policies, compliance rules. On the other hand side, attestation, and re-certification, means risk management and means extensive reporting by using the Report Engine or our data reports, dashboards, heat maps, everything off that could now be used together with the Safeguard data to make them more visible for business, or for compliance officers, or something like that. Now, let's answer some questions. My first question-- and this, I guess it's important question, is the Identity Manager necessary to handle privileged accounts? Of course not. For privileged account handling, One Identity Safeguard is the right software to use. The Identity Manager, as we know it's the software for identity and access governance with a completely different purpose. To get both things together, we need the PhD module. And then we can consider a privileged account management data in the Identity Management-- that means in the identity and governance space. Do One Identity Manager workflows replace Safeguard workflows? Of course not. Out of the box, any Safeguard workflow is considered in the Identity Manager workflow as well. That means there is normally, out of the box, just a product owner approval. And after that, the complete Safeguard workflow happens. Nevertheless, in the Identity Manager are many more capabilities in case of approval workflows. And all of them can be used just in custom workflows. That means you can use everything which is possible in the Identity Manager with approval workflows. Plus you can consider the Safeguard workflows. And with that, everyone who knows what is possible in the Identity Manager should be really happy with this solution. Can Safeguard [INAUDIBLE] be used as provisioning engine for the Identity Manager? Of course not. Please remember what Safeguard is doing. Safeguard is handling privilege to account management. That means it can just handle privileged account passwords and can handle sessions. Provisioning is not part of Safeguard. But of course, it is part of Identity Manager. And because of that, you can use the Identity Manager to create, in Safeguard, Safeguard users and assign them to groups. And you can use the Identity Manager to create accounts and handle permissions in other target systems. With that, for example, you can use the Identity Manager to create a privileged account somewhere in a system which later on gets be handled by Safeguard. Will Identity Manager take passwords and session tokens out of Safeguard? Independently from if this was technically possible, and I guess it is using the API, Identity Manager will not take session tokens or password out of Safeguard. As you know, if you take something out of another system, you have, as well, to ensure the security. And there is no reason for Identity Manager to take this information out of Safeguard. If you use Identity Manager just to request passwords and session tokens, which is possible. Then at the end of the whole process, once it is approved there will be an email to the user. And this email will contain, out of the box, a link. And this link will then contain an access to the Safeguard, that front end. And with that, then a password can be checked out or a session is provided. One thing left, this is the out of the box process. Whatever you build on your own on a customer basis is depending on the API. And everything is possible what the API can do for you. Can the product owner be automatically assigned to the One Identity Manager or resource owner-application role? Out of the box, if you just install the pack module, workflows from Safeguard gets configured. The out of the box workflow looks like there is first a resource owner approval. And then there will be the Safeguard approval workflow if there is one. Having experience, for example, with the active roles integration in the Identity Manager, the one or the other may now ask, is it possible to take asset owners out of Safeguard and assign them automatically to the resource owner role? Yes, technically this is possible. Out of the box, we don't do that. And the reason for it is that from an identity management perspective, a business-driven resource owner is normally something completely different to a technical-driven asset owner. That means the asset owner is more of an admin, and the resource owner is more a business person. However, we don't do that out of the box. Again, but if you like to do it, no problem at all. The data is already there. You can automate that just by a little bit of customization.