Example: Onboard accounts for a personal admin
Instead of requesters on a team being granted access to an onboarded account, account trustees can give a specific user exclusive access to the account, regardless of team. The user, referred to as the personal admin, would be able to check out an account without needing authorization. The access will also be automatically checked out (for 12 hours by default) at login.
Install the Scenario.pam_personal_admin component for this example.
Any managed systems onboarded before the scenario is installed will need to be manually binded to the PERSONAL_ADMIN_ACCOUNTS managed system policy. This example will onboard accounts from the Corporate AD target system.
Log into Front-end as a superuser.
From the main menu click Manage components > RefBuild.
Select the checkbox for Scenario.pam_personal_admin_management.
Click Install component(s).
The panel on the right will indicate when the installation is complete.
Configure the Corporate AD target system with the additional step of selecting Automatically create a Privileged Access Manager managed system.
Click Privileged access > Managed system policies.
Select the PERSONAL_ADMIN_ACCOUNTS managed system policy.
Click the Member systems tab.
Click Add new… .
Select the Corporate AD managed system and click Select.
Log into Front-end (PSF) as the account trustee for the corporate AD team.
Click Manage Resources.
Click Account: Onboard.
Select an account to be managed by the corporate AD team.
Click Next .
Select the Personal administrator access policy as the Managed SystemPolicy ID.
Select disclosure options, as needed.
Click Next .
Select a user to be the privileged access owner (the personal admin)
Click Next .
Select session monitoring options, if desired.
Click Next .
Enable Allow override and randomization of password , if desired.
Click Submit.
Once the request has been approved, the personal admin will have instant access to the onboarded account the next time they log in.