The following sections contain information about the key driver features.
A local installation is an installation of the driver on the Identity Manager server. The PAM driver can be installed on the Windows or Linux supported for the Identity Manager server.
For more information about local installations, see Section 2.2, Where to Install the PAM Driver.
For additional information about system requirements, see System Requirements
in the Identity Manager 4.0.2 Framework Installation Guide.
The PAM driver can use the Remote Loader service to run on a Windows or a Linux server other than the Identity Manager server.
For more information about remote installations, see Section 2.2, Where to Install the PAM Driver.
For additional information about system requirements, see System Requirements
in the Identity Manager 4.0.2 Framework Installation Guide.
The PAM driver supports entitlements. Entitlements make it easier to integrate Identity Manager with the Identity Manager User Application and Role-Based Services in eDirectory. In the User Application, an action such as provisioning a user to a PAM UserGroup is delayed until the proper approvals have been made. In Role-Based Services, rights assignments are made based on attributes of a user object and not by regular group membership. Both of these services offer a challenge to Identity Manager because it is not obvious from the attributes of an object whether an approval has been granted or the user matches a role.
Entitlements standardize a method of recording this information on objects in the Identity Vault. From the driver perspective, an entitlement grants or revokes the right to perform a task in PAM. You can use entitlements to control PAM UserGroup membership. The driver is unaware of the User Application. It depends on the User Application server or the Entitlements driver to grant or revoke the entitlement for a user based upon its own rules.
UserGroup: This entitlement grants or denies membership to a UserGroup in Privileged Account Manager. When the entitlement is revoked, Identity Manager removes the user membership from the UserGroup.
For a new resource, the administrator must not assign the entitlement value as Submit User or Everyone.
If an administrator assigns a resource to a user in the User Application or in iManager, that change is reflected in PAM server.
The NOVLPUMENT_x.x.x.xxxxxx.jar package contains the Entitlement contents for PAM.
For more information about entitlements, see the Identity Manager 4.5 Entitlements Guide.
Password synchronization is used to synchronize passwords of the DirXML-PUMCredential objects from the Identity Vault to the target PAM server and in case of password check-in, from PAM server to the Identity Vault. When the account objects are created in eDirectory the Identity Vault, passwords are synchronized to the target PAM servers through the Subscriber channel. For the password check-in feature, passwords are synchronized to IDM through the Publisher channel. For more information about password synchronization through the Publisher channel, refer Section 8.1, Password Synchronization with Connected Systems through Identity Manager.
The PAM driver synchronizes Privileged Account Domains and Credentials objects from the Identity Vault to the PAM server.
NOTE:The PAM driver does not support eDirectory synchronization for any user or user group but it supports Entitlements. For more information about Entitlements, see Section 1.5.3, Entitlements