Identity management integration solves the problem of managing accounts in distributed repositories is divided between different sets of tools. Typically, Identity Governance and Administration (IGA) tools manage normal business user accounts, and Privileged Account Management (PAM) tools manage privileged accounts. Although both tools together can provide effective methods for controlling all types of accounts, it is difficult to ensure that all accounts in any given managed account repository are under the control of at least one of the tools.
Some IGA tools have the ability to discriminate among different types of accounts, and to associate owners and appropriate account life cycle processes with all accounts in a given account repository. However, the majority of products do not offer this luxury. Regardless of IGA product capabilities, when PAM tools are being used, it is advisable for there to be identity management integration between the IGA and PAM tools to allow for better coordination.
Process and Options
Integrating IGA and PAM tools can provide several benefits for Enterprise IT, but it must be done correctly. The PAM tool can periodically export a list of systems, accounts and owners under its control.
Then the IGA system would consume the list in one of two ways:
1. Flag accounts that are under the control of the PAM tool as the appropriate types of accounts and assign them to an owner, if ownership information was maintained in the PAM tool.
2. Add accounts controlled by the PAM to a filter list for associated target systems so that those accounts do not show up as orphan accounts in reconciliation results. Essentially, such accounts would be invisible to the IGA tool because they are already under the control of the PAM tool.
The IGA tool could periodically query the PAM tool via a programmatic interface to get lists of accounts under the PAM tool’s control, and then apply the same logic, depending on the IGA tool’s ability to discriminate between different types of accounts.
Conversely, when a PAM tool takes control of an account, it could send a message to the IGA tool so that the IGA tool knows that the PAM tool has control of the account. This pattern also would require the PAM tool to notify the IGA tool when it relinquishes control of an account.
Identity Management Integration: SailPoint and BeyondTrust
XMS Solutions partners with two leading IAM vendors to tackle identity management integration: SailPoint and BeyondTrust. SailPoint is a recognized industry leader in IGA, perenially appearing in Gartner’s Magic Quadrant. BeyondTrust was recognized by Forrester as a global PAM leader, serving over 4,000 customers worldwide.
Leveraging BeyondTrust Password Safe version 6.0 with SailPoint IdentityIQ, customers can leverage a dynamic, bi-directional certified integration allowing them to effectively manage user access for both privileged and non-privileged accounts. This integration gives organization a single solution for the management and security of asset data, privileged and non-privileged users, and associated functions by role including assessments, auditing, rule creation, and reporting.
You can learn more about this solution here: