This section is intended for creating Organizational Units (OU) of an organization. When creating OU, you can delimit the access of PAM administrators to individual resources.
Organizational Unit types
An OU can be global (Root OU) or local. Also, PAM objects can be global and local by belonging to an OU.
Immediately after installing PAM, a Root OU already exists in the system. It owns all objects whose OU is not explicitly specified. Accordingly, after upgrading the PAM version from version 2.6, all previously existing objects become global.
You can bind the PAM administrator to the OU in the Role settings. A user can be in roles from the same OU. You cannot add a user to a role again by specifying other OUs.
The OU is specified when adding a Resource, Domain, or Resource Group.
The system recognizes whether a given object is local to a given OU through the objects' links to resources and domains. If an object is associated with a Resource and an Account, the OU is determined by the Resource.
Local Administrator
The local administrator is restricted in access and can only work with a set of objects that belong to his OU. The following objects are restricted - Accounts and Resources.
Exceptions:
- can read global domain accounts
- can read global policies
- can read Domains, but not their groups and containers
All objects created by the Local administrator automatically belong to his OU.
Not available to the Local administrator:
- Objects related to other OUs
- Sections Structure, Roles, Notifications
The Management sections are read-only:
- Policies and their settings
- User connections and Service connections
- Configuration settings
Other sections are not available.
A local administrator cannot create permissions with view credentials for domain Accounts, including Application permissions.
