[MUSIC PLAYING] One of the main reasons why we have the Privileged Account Governance module developed is that we can include all of this data in all of these compliance processes an identity and access governance system or an identity and access governance approach needs. This is, by the way, as well, the reason why the module-- it's named Privileged Account Governance. It is the governance part. And this is what we are talking right now.
Therefore, I like to start with policies. We see the manager, our main data administration front. And I just select Company Policies. And if I then just expand here the Policy tab, then you can see here policies.
If I click the Enabled Policies, you will see in this specific system, and this is a test system just for the Privileged Account Governance module, there are more or less mainly privileged account management policies active. And this is because somebody was just customizing a little bit the system in a way of that he was enabling these specific policies.
That means, typically, if you install that module from the scratch, the policies are disabled, like this specific policy here in the Disabled folder. They are all there. And you have manually to activate them. This is because the system should only calculate things if an administrator-- that means you-- have decided to do so.
This is our policy, "All PAM asset accounts have an owner assigned." This is not activated right now. So I just selected the policy, as the name says, is there to ensure that every account-- that means every asset account-- is equipped with an owner. It's a typical identity and access management policy.
Here, we ensure that owner are responsible for, for example, functional accounts. And it's disabled, like from the scratch. And what I like to do now is to enable that working copy. And to do so, the only thing I have to do is I have to click on Enabled. Now it's enabled. And then this policy should move here to the Enabled Policies.
So we are here. Here is now the policy enabled. My system starts calculating, which is standard if I enable a policy. And seconds after, I should then see maybe a violation. And here we are. As you can see, there is just one of these accounts, these added accounts, without an owner.
Let's figure it out. I just jump into it. Now we are looking at a functional account, like the administrator account is. I just jump to that specific object. I open that specific object. It's a PAM user. We can see that here. I open the object. And as you can see, there is no owner configured. So we have here a problem.
What we should know here and what we should see here is all of these policies just in this block are PAM-related. We see, as well, all of them are shipped with the Identity Manager Privileged Account Governance module. You can create many more if you like to. And here in the manager, for example, you can just activate or enable them.
Being a compliance officer, I am more interested in using the web portal. Here we are. I'm signed in as Audrey Abello. We know Audrey Abello. She's our superuser and compliance officer. I just step into the Compliance section for governance administration. And there I do see rule violations and policy violations.
I like to start with policy violations. You see all my activated policies. One of them we have activated seconds before. It's the "All PAM asset account have an owner assigned," as we can-- there is just one new rule violation and one violation at all, which, is not really surprising me. The next thing I can do-- I can step, for example, into Details. And then I see exactly the same picture like I saw in the data front end before.
As compliance officer, I like now to handle these specific policy violations. And to do so, I have the chance, for example, just to click here and to look for the Pending Policy Violations. Here we are.
I see a list of policy violations. There is one at the top, which is our "asset account have an owner assigned" policy. This is exactly the one we activated and we saw before. To ensure, I can just look into it. This is the administrator account. And here I can now create an exception, for example, and can just say, on the basis of my decision, this here is now an approved exception. If I hit then the Next button, automatically, this will be stored in the system as an exception. And then the process ends.
In this environment, I like to let this position open, especially because then I can show it again to another audience.
[MUSIC PLAYING]
Another compliance-related interesting part is risk management. I like to start in the manager. Again, as you can see, I have selected the Privileged Account Management part, which is our SafeGuard here. You can see the user groups and local user groups. And there are two groups in there. One-- it's the empty group. And the other one here-- it's OneIM group.
And as we know, the OneIM group-- it's necessary to deal with sessions and Windows passwords and, as well, RDP sessions in SafeGuard. That means if I have this OneIM group assigned, then I'm able to order these resources in SafeGuard.
Maybe in the course, if I get this group assigned, I am able to request these interesting informations. It could be a good idea to configure a risk for that specific group. If I jump into the group, then you can see that this group-- it's not just configured with a standard risk index of 0. It comes with an risk index of 0.5, which is more or less a 50% risk at all.
As we know, risk management works in a way that the risk of the different resources I'm assigned to me gets, at the end, accumulated just on my person. And so I collect risk. And this is what I want to show you next. Therefore, I step into my web portal. And in my specific web portal, I have to be a risk admin to see all of this. We are not really wondering that Audrey Abello-- it's the person we like to deal with. Therefore, Audrey-- it's just signed in here, as we can see.
And I like to look at the risk level. So I look here in the Compliance part and step to Governance Administration. And just being there, there are two types for risk. One-- it's Risk Management. The other one-- it's Risk Overview. I like to start with the Risk Overview. I step into that.
As you can see, top one of my risky people-- it's Audrey Abello-- again, not really wondering, as the reason for is, as we know, Audrey, in this system-- it's the superuser. She collected, more or less, everything which is possible. And because of that, she is a big risk for the complete environment.
And if I jump into this and if I then step into Risk, I can then see that the risk of Audrey gets calculated out of different factors. As you can see here, there are many positions just putting risk together. One of these positions, just to follow our scenario, is to open the assignment of PAM user accounts. As you can see then, there is the assignment. And if I look into the lists, then I find, as well, the OneIM group that comes with a 50% risk here, which is part of the complete risk calculation for Audrey.
If I step then back to the overview of Risk Management-- here we are-- then I can look into the Risk Assessment and figure out how all of these different risks are assigned or how they get weighted and calculated. To follow our scenario, I am now interested to see groups.
So I just open the filter and can start searching for Privileged Account Governance. Here we are. These are Privileged Account Governance objects and how they get, at the end, weighted. As we can see, there are pack user groups here. And as you easily can see, there is then the calculation or the handling for pack user in groups.
If I open that, then you can see that this type of risk gets calculated or assigned to the person with 100%. That means then the 0.5 risk we saw on the group will here-- multiplicated with 1, which is 100%. So this 50% risk gets directly assigned to the person. That means here, we can configure the factor how risk of a specific object, like the group, will be auto-assigned then to the identity.
Of interest, as well, are mitigation measurements. If you look here into the list, then you easily will see increments and decrements. Following our example, talking about the OneIM group, we saw in the past this OneIM group was just assigned directly, which is the maximum risk.
But if, for example, this group gets assigned by an attestation or by a request, then an approval process was upfront. And that will then automatically decrease the risk. That means there is then a decrement created. And this decrement will then be multiplied with that 1 we saw before. And get less risk accumulated on the person itself.
So with these measurements, you are able to increment or to decrement the different risk position so that at-- then a global risk out of all permissions we have can be accumulated on the user. In case of Audrey, we remember this is something that will not help us out of the trouble. And this is because Audrey have every permission we can get in this system. And that means she is the most risky person in this environment.
[MUSIC PLAYING]
11:10