I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.
One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.
Option 1 is to use PowerShell from the MIMPAM Module to get an overview:
Get-PAMUser | Get-PAMRequest –Active
Quite simple, right?
But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.
Checking the attributes on PAM requests there is one called:
ExpirationProcessState (SystemName: msidmPamRequestExpirationProcessState)
If a user requests a role this attribute gets value: NotHandled
When the PAM requests expires or the user has canceled his own request before expiration time and the “expiration cleanup process” has removed the user from the PAM group(s) the attribute value is set to “Handled”
So Option 2 is to create a search scope for the “PAM requests” navigation of MIM portal.
I used the following XPath query on the search scope:
/msidmPamRequest[msidmPamRequestExpirationProcessedState = 'NotHandled']
Here are some screens on the rest of the search scope parameters:
(Don’t forget to do an IISReset in order to clear the Cache, after saving the search scope)
JustIDM 