- 07 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
PIM/PAM Entitlement Considerations
- Updated on 07 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
PIM/PAM
PAM is an approach to access management which deals with "Privileged Access". Microsoft Entra ID has PAM functionality which they call "PIM" for Privileged Identity Management which enables PAM within Entra ID.
These tools/systems provide a way for you to grant access to users with additional restrictions/conditions around that access. A user may be eligible for an entitlement, and can then go into the PAM tool to activate their eligibility for a set duration. These time limits/durations are called schedules. Additionally, user-entitlement assignments/eligibility may have other restrictions around it in addition to time/duration, including the scope where the entitlements privileges can be used.
For example, in Entra PIM, you could have a role called "Application Administrators". You can create a PIM eligibility assignment saying that the user "Steve" is eligible for the "Application Administrators" role, from February 1st through March 15th. Furthermore, there is a narrow scope which is applied the that eligibility assignment, which says that Steve can only use this role to take action on directory objects which are in the "US Servers" administrative unit.
How does Clarity handle this?
In Clarity, the PIM service is built into a special extension to the base Entra ID (Azure Active Directory) connector. If an organization who uses Clarity already has Entra ID set up, and they also use PIM and want to integrate that with Clarity, there is no additional configuration necessary on the Clarity side. The only consideration is that the Clarity Service User that is configured in Entra ID needs to have the correct privileges/scopes in order to perform PIM activities. These scopes are:
Scopes | Read Only vs. Provisioning |
---|---|
PrivilegedEligibilitySchedule.Read.AzureADGroup | Read Only |
PrivilegedAssignmentSchedule.Read.AzureADGroup | Read Only |
PrivilegedAccess.Read.AzureADGroup | Read Only |
PrivilegedAccess.Read.AzureResources | Read Only |
PrivilegedAccess.Read.AzureAD | Read Only |
If PIM is not enabled on the Entra ID tenant (or if the permissions do not grant the proper privileges), Clarity will detect this and won't attempt to make any PIM API calls.
If PIM is enabled, Clarity will read in some additional entitlements and the associated meta-data for those entitlements. There will be two new entitlement types: group eligibility and role eligibility. "Traditional" role/group assignments will still show up in Clarity as normal. Clarity considers those as "role assignments" or "group assignments" and they will have the normal entitlement types for "role" or "group" respectively. Furthermore, Clarity will ingest schedule information about all role assignments, group assignments, role eligibilities, and group eligibilities.
Clarity handles scope by creating a new entitlement for each role/scope combination. This will appear in Clarity as a new entitlement with a name like: Role Name (Scope: Scope Name [Scope Type]). In the example above, the entitlement that Steve was granted would show in up Clarity as "Application Administrator (Scope: US Servers [administrative_unit])".
Nesting
In addition to user-entitlements, PIM also allows the management of entitlement-entitlements, similar to how nesting in Entra already works. Like users, groups can also be assigned to roles with PIM scopes and schedules attached. For example, you could have a PIM enabled group called "Operations Staff" which has the role assignment to the "Log Reader" role, and an eligibility assignment to the "Application Administrators" role, with the scope "US Servers" only, and that role eligibility could have a limited schedule of February 1st - March 3rd.
If Steve is a member of the "Operations Staff" group, Steve would inherit the "Log Reader" role assignment from their group membership, and Steve would be eligible to request the "Application Administrators" role any time after February 1st, through March 3rd.
Clarity stores this additional information and it is presented in the UI when viewing entitlement details and in Access Reviews when reviewing User Access or Entitlement Access.
Note the scope shown in the entitlement name, as well as. the "Assignment Start" field showing assignment schedule information in UARs.
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.