Identity Governance provides the following templates for PAM:
PAM Account
PAM Permission
NOTE:The PAM application must have a minimum version of 4.4 and above for you to collect accounts and permissions using the PAM collector.
For additional information about configuring PAM templates, see the following sections:
To ensure data is mapped successfully from PAM to the Identity Governance catalog, the users in PAM must have the required minimum rights in the PAM application. The user can be a local user of PAM or an LDAP user to run the APIs for user roles, resource pools, and assignments. However, the user must be added as a group member or must be mapped to a group and have the View Access Control Objects permission in the PAM application.
NetIQ Privileged Account Manager (PAM) manages and monitors administrative access to servers, networks, and databases to any target application through its access control objects, such as user roles, resources, resource pool, and assignments.
User roles and resource pools are logical groupings, where user roles are allocated permissions to access resources. These resources, in turn, are organized within a resource pool. PAM utilizes the assignments to establish a connection between user roles and the associated resource pool.
The PAM account collector collects unique members and group members from all user roles, and the permission collector collects user roles and members included in the role, resource pool, and the user role-resource pool parent-child relationship. These accounts and permissions are mapped to identities by association or other attributes. Note that PAM uses LDAP as its identity source, so, the PAM collector maps only LDAP accounts to identities.
When configuring the PAM account Collector, configure service parameters as needed, then specify the Account-User Mapping parameter as “id” and map it to the identity attribute which holds the objID. Optionally, if you want the PAM accounts to be populated uniquely in the Identity Governance catalog, then in the Collect Account View for Mapped Attributes specify the PAM attributes for example, ID which is unique to PAM account. Then write an ECMA script for the Collect Account attributes for example:
[outputValue = "NetiqPAM" + inputValue]
When configuring the PAM Permission Collector, configure service parameters, then depending on the type of permission you want to collect, select the permission type separately for User Role and Resource Pool and specify if you want to collect disable permissions.
To map the permissions to an account, specify Permission-Account or User Mapping parameter value as “ids” and map it to Account ID.
To collect the parent-child relationship between User Role and Resource pool, specify the Parent Permission ID value as parentPermission.