This section is intended for creating Organizational Units (OU) of an organization. When creating OU, you can delimit the access of Indeed Identity PAM administrators to individual resources.

Organizational Unit Types

An OU can be global (Root OU) or local. Also, Indeed Identity PAM objects can be global and local by belonging to an OU.

Immediately after installing Indeed Identity PAM, a Root OU already exists in the system. It owns all objects whose OU is not explicitly specified. Accordingly, after upgrading the Indeed Identity PAM version from version 2.6, all previously existing objects become global.

You can bind the Indeed Identity PAM administrator to the OU in the Role settings. A user can be in roles from the same OU. You cannot add a user to a role again by specifying other OUs.

The OU is specified when adding a Resource, Domain, or Resource Group.

The system recognizes whether a given object is local to a given OU through the objects' links to resources and domains. If an object is associated with a Resource and an Account, the OU is determined by the Resource.

Local Administrator

The local administrator is restricted in access and can only work with a set of objects that belong to his OU. The following objects are restricted — Accounts and Resources.

Exceptions:

• can read global domain accounts
• can read global policies
• can read Domains, but not their groups and containers

All objects created by the Local administrator automatically belong to his OU.

Not available to the Local administrator:

• Objects related to other OUs
• Sections Structure, Roles, Notifications

The Management sections are read-only:

• Policies and their settings
• User connections and Service connections
• Configuration settings

Other sections are not available.

A local administrator cannot create permissions with view credentials for domain Accounts, including Application permissions.