Using SCIM Extension for Privileged Access Management (PAM) entitlement information retrieval

The SailPoint Privileged Account Management (PAM) module is used for managing access to privileged or high-level accounts as well as critical systems and assets. Centrify Privileged Access Service supports SCIM standards that allow SailPoint IdentityIQ and the PAM module to communicate directly through SCIM. By automating the exchange of user identity information between SailPoint IdentityIQ and Centrify Privileged Access Service, it can be used to automatically provision and deprovision accounts for users.

Configuration requirements

Permissions and users

  • You must have the SailPoint Lifecycle Manager installed to use the Centrify Privileged Account Management module.
  • You must be a system administrator or have the PAM administrator user capability to access Privileged Account Management.
  • System Administrator user rights are required to configure Privileged Account Management.

Supported managed systems

  • Supported SailPoint IdentityIQ versions:
    • IdentityIQ 7.3.
    • IdentityIQ 7.2.
  • Supportede SCIM version: SCIM 2.0.

Understanding user constraints in Centrify Privileged Access Service

The following are best practice considerations when working with Centrify PAS:

  • All user names must be suffixed according to the configuration in the Centrify Admin Portal (Centrify Admin Portal > Settings > Customization > Suffix). Example: domain name for Centrify User.
  • All passwords must fulfill the password policies as configured in Centrify Admin Portal (Centrify Admin Portal > Policies > policy > User Security Policies > Password Settings).
  • Container and PrivilegedData constraints: "Type" is either VaultAccount, Server, or DataVault.
  • ContainerPermissions and PrivilegedDataPermissions constraints: rights of VaultAccount type could be Login, Naked, Manage, Owner, Delete, UpdatePassword, UserPortalLogin, RotatePassword, View, and FileTransfer.
  • Rights of Server type: can be ManageSession, Edit, Delete, Grant, AgentAuth, RequestZoneRole, and View.
  • Rights of DataVault type: can be View, Delete, Grant, Edit, and Retrieve.

Configuring the Centrify SCIM server

To configure the Centrify SCIM server, perform the following steps:

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. Click Custom.

  1. On the Custom tab, next to the OAuth2 Client application, click Add.
  2. Enter values for Settings, General Usage, and Tokens.
  3. Navigate to the Scope tab. Delegate permissions by defining the scope to allow REST API by regex SCIM as shown below:

  1. Grant administrative rights for both Role Management and User Management.

    Note:   Ensure the role does not include "Read Only System Administration."

  1. Generate the API token, or bearer token:

    1. Navigate Apps > Web Apps and select the OAuth2 Client application you created.

    2. Navigate up to the left-hand corner and at the Actions dropdown, select Create Bearer Token.

    3. Enter the client_id and secret that you established as part of your Service User/Confidential Client.

    4. Click Get Token.

Note:   For more information on authorized access to protect resources using OAuth2.0, see the respective Centrify Knowledge Base article.

Privileged Account Management

  1. Navigate to the SailPointIQ and click Applications > Application Definition > Add New Application.
  2. Enter a name and owner for the PAM application.
  3. For Application Type, choose Privileged Account Management.

  1. On the Configuration tab, click Settings to enter connection information for the Base URL, API Token and add the permissions you need (add one by one).

  1. To read in the permissions users have on containers. Navigate to the Unstructured Targets tab and click Add New Unstructured Data Source.

For Correlation Rule, choose PAM Access Mapping Correlation Rule and for Target Source Types, choose Privileged Account Management Collector. Click Save.

  1. Confirm Privileged Account Management set up by clicking the gear icon and selecting Global Settings > IdentityIQ Configuration to display the Privileged Account Management configuration.

Aggregating Privileged Account Management tasks

You must configure new tasks to aggregate and update information in SailPoint IdentityIQ. The following tasks are required:

  • Account Aggregation.
  • Account Group Aggregation.
  • Target Aggregation.
  • Effective Access Indexing.
  • Identity Refresh — with the Refresh Identity Entitlements for all links selected.

For detailed information on defining tasks or to configure new tasks to aggregate and update information in IdentityIQ, refer to the SailPoint IdentityIQ Administration Guide.