Privileged Access Management: List all active pam requests


I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Checking the attributes on PAM requests there is one called:

ExpirationProcessState (SystemName: msidmPamRequestExpirationProcessState)

If a user requests a role this attribute gets value: NotHandled

When the PAM requests expires or the user has canceled his own request before expiration time and the “expiration cleanup process” has removed the user from the PAM group(s) the attribute value is set to “Handled”

So Option 2 is to create a search scope for the “PAM requests” navigation of MIM portal.

I used the following XPath query on the search scope:

/msidmPamRequest[msidmPamRequestExpirationProcessedState = 'NotHandled']

Here are some screens on the rest of the search scope parameters:
(Don’t forget to do an IISReset in order to clear the Cache, after saving the search scope)

SearchScope1

SearchScope2

SearchScope3

SearchScope4

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: