Savesh Sella,
It's been a while since I've worked with IDM (and I'm not an IDM Architect), but if memory serves me correctly, IDM talks to what we "now call" a PAMSC agent.
---------- Historical Basis ---------------------
Many years ago (prior to Advanced Policy Management (APM)), IDM can be configured to talk directly to a PAMSC database. That database could be a Policy Model Database (PMDB) or a local database (aka the database that resides on a "PAMSC" Agent). And understand that we use to deploy "PAMSC" rules via a hierarchy of PMDB's. IDM could create a user identity, and that user identity could be associated with a "role". That role would tie back to a PAMSC database, and that it could define all of the necessary information to create the account within "PAMSC". Also understand that "PAMSC" has the capability of creating an account locally on the endpoint (e.g.. /etc/passwd, /etc/shadow in UNIX/Linux). So back in the day, it was possible to create a new "system administrator", and define the user to an IDM role that would provision an account to a PMDB (or to an local database(s)) and have it create the user account on a UNIX/Linux machine(s). The advantage of creating the account via a PMDB, is that you would need to define a single point for IDM and "PAMSC" would create the account locally to all of the endpoints subscribing to a PMDB.
NOTE: PMDB's are a thing of the past - however, they are still supported. And "PAMSC" (for the last 10+ years) is using Advanced Policy Management (APM) to deploy rules/policies.
-----------------------------------------------------
I could be wrong, but I do not believe that IDM would talk to directly to Unix Authentication Broker (UNAB). Typically, you would create and then deploy a UNAB policy via the Enterprise Management (ENTM) server - and that policy would then pushed off to the UNAB agents. I do not believe that IDM has the capability of creating/updating/deleting a UNAB policy.
HOWEVER, it may be possible for the following:
(1) PAMSC Task- Create/Deploy a UNAB policy that allows users within a specific AD group to use their AD credentials to login to a UNIX machine.
PAMSC Task (optional) - Deploy a "PAMSC" policy that allows/denies access to specific resources for said AD Group.
(2) IDM Task - Create the necessary Profile/Role/Tasks that would provision an account to the specific AD group. This will require the proper UNIX/Linux attributes to be defined in AD as well.
(3) PAMSC Task - Refresh the "UNAB" agent on applicable server(s) to know that a new user was joined to the appropriate AD group and that user will be allowed to login to a UNIX/Linux machine with their "AD" credentials.
I hope this information is useful. Good Luck.
------------------------------
Sr Architect
Broadcom
------------------------------
Original Message:
Sent: 06-10-2020 01:55 PM
From: Sarvesh Sella
Subject: How does CA PAM SC works with UNAB installed on Linux?
I am fairly new to CA tools...
Can any one explain me how CA PAM-SC works with UNAB installed on Linux? I heard that there is a plugin to connect CA PAM-SC to IDM where we define users, groups and user roles, and UNAB authenticating users from AD. etc.. etc..
I am a bit confused with lot of tools in this architecture.. Can any one help me to understand what is the flow of users and groups from AD to Linux servers and where user roles are defined and how PAM-SC manages user privileges.. An architectural diagram is much helpful.