[MUSIC PLAYING] Not really part of the story of privileged account governance, but necessary in this specific video series is to talk about accounts. It is necessary, because in Safeguard we have different account types. And unfortunately, with the Identity Manager, we get some more. And because of that, this slide exists and here is a short explanation.
First of all, in the Identity Manager, we typically talk about identities. Identities represents people and better known are these object as person objects in the Identity Manager, or you can see them in a front end and then they are called employees. These are not accounts of course.
These are representing humans. These are metadata. These are identity. Identities typically have assigned accounts. Accounts is something that you need to log into what else? The target system. For example, an account in Active Directory allows you to log into Active Directory or in Azure or whatever. Accounts for LDAP systems will do the same in LDAP and for SAP in SAP.
One of these accounts or more of them could be accounts in Safeguard. Unfortunately, Safeguard accounts are not named accounts in Safeguard. They are named Safeguard user. That means a Safeguard account it's a Safeguard user.
This Safeguard user it's needed to log in into Safeguard, and you get your privileges so that you can do something in Safeguard. Once you are logged in in Safeguard using your Safeguard user, you can manage privileged passwords for privileged accounts.
And of course, there are two types of them. One are standard asset accounts, which are more local accounts. And it is as well possible to manage directory accounts. Unfortunately, this is how the life is. Such directory accounts for example can as well become a Safeguard user, especially because if you are an Active Directory signed in, and you want to use the same account to sign in Safeguard, this is possible.
And on the one hand side, you are signed into Safeguard with one Active Directory account and can manage some other privileged accounts as well living in the same Active Directory. And because of that, this slide is necessary so that you now know identities have accounts. Special accounts are Safeguard users, and they manage asset accounts and directory accounts, which are then more privileged accounts.
And this specific scenario, I want to use the Identity Manager to provision a Safeguard user. And to do so, I need a person that will place the order. And this specific person here is Randy Dottin. Randy Dottin is, as you can see, a person only having an Active Directory account. Here we are.
And additionally to this Active Directory account, this person wants now to get access in Safeguard as an administrator. And therefore, he wants to order an administrator account in Safeguard, which is a Safeguard user. Therefore, we need our standard web front. That is the web front the business typically use. And we have to place in as Randy.
Here we are. I want to request two things. The first thing is the account itself, and the second thing is access to one of these Safeguard groups. I can do that just with one request. Therefore, I go into Access Lifecycle first.
Access Lifecycle, it's necessary, because I want to have access to Safeguard. As you can see there are two choices. I can have an Active Directory account in Safeguard as a user account, or I can have a local Safeguard account. I just order the local Safeguard account and add this to my card. That's my first thing.
And secondly, I like to add to my cart another request. So I start another request here, Active Directory groups. No. I don't want to have PAM groups and users.
As you can see, there is a group that is named Empty Group. It's a PAM group. I want to have access to this specific group, so I check that specific group added to the cart as well. Now there are two entries in my shopping cart. One, it's a new Safeguard user. The second one, it's access to one of these Safeguard groups.
I have to place as well a reason why I want to have access. Need SG Admin access for business as SG admin. Here we are. I can use the same reason for both if I'm interested. So here we are. And I press Save and submit here the order. Now it's submitted.
As pretty typical for the Identity Manager as person who ordered something, I can look into my Request History. Here we are. This is what I requested. That's true. For one of these, I can look into the workflow. And the workflow let me see that the next approvals are here. Abello and Filippi-- these two guys are the approvers for the Safeguard system.
Just for all people are interested for any target system, always target system owners are responsible out-of-the-box. So I step into my manager again. I have a look at the role level of the Identity Manager. I'm looking in One Identity Manager application roles.
There, in target system administration, here the role Privileged Account Management System, which is my Safeguard. Here are the two decision makers, and you can configure some more. These are the owner for just Safeguard at present.
So I step back into my web portal. Now I have to switch my hats. That means I just stop being Randy. I have now to begin with Audrey or being Audrey. Audrey is one of the decision makers. You can see that-- Abello Audrey.
So I just log off here and log in as Audrey. And here we are. As we easily can see, there are two pending requests right now. I jump into this. I can see the pending requests. Both are from Brandy.
Yes of course. Safeguard user. Empty group access. I just checked both and say yes of course. This person is allowed to do so and safe. And like Randy as well as person who is allowed to approve something, I can have in my actions a look in through the Approval History, which is like the Request History but this time for approvers.
And I can look into it. There are my both specific permissions. That means the access to an account, the access to a group as I can see. Both are assigned. I can as well select one of these, look into the workflow. You can see fully granted. This is now here-- the hint that everything should be provisioned.
Let me have a look into my specific admin data front end manager. Here I have to look into the employees, and I have to search for Randy. And there it is. Here it is.
As you can see, there is now a Safeguard account perfectly. If I step onto the Safeguard account, I can do something as a data administrator. For example, I can decide to step into that Safeguard account to set a password I already know, because we have no mail sending here.
So it's better just to set a password to something I already know. Normally it's auto-generated and then on an email basis a one time access token that's sent to the user. But this time here, I set the password now manually.
I can, as well, manipulate the permissions if I like to. For example, I can decide that this person needs a lot of more access in Safeguard-- gets full admin, for example. I can then save the whole thing.
Wonderful. Here we are. Password set now as well. And yeah, having the password, having the permissions, I can just log in into Safeguard. First try as Randy. . Full, it was completely possible. I'm signed in as Randy now. Here you can see it. Perfect.
And if I look, for example, here into the configuration user and look for that Randy guy as well, then there is my Safeguard user. And this Safeguard user should now be a member of the empty group. Here we are.
The whole thing was quick and dirty. You see it is possible to the Identity Manager to request the user. Just as well as possible to request a group membership. Everything gets automatically provisioned. I can use as well the admin front end of the Identity Manager to change data if I like to. That was more permissions and the passwords, and then I'm good.
09:52