IBM Security Privileged Identity Manager: Automate ID management

Start learning how to effectively manage insider IT security threats

This quick-read guide explains the basics of how IBM® Security Privileged Identity Manager centralizes the management of privileged and shared accounts and helps you track and audit the activities of privileged users so you can provide effective security and authentication governance.


developerWorks security editors, Staff, IBM

This article is brought to you by the editors of the developerWorks Security site.

23 July 2013

Also available in Russian

According to the 2012/2013 Kroll Annual Global Fraud Report, the percentage of cyber-crimes committed by corporate insiders has continued to climb over the past few years, from 55 percent in 2010 to 60 percent in 2011 and more than 66 percent in 2012. (See Resources for a link.) Modern trends in enterprise computing —such as social media, cloud, mobile and device computing, and big data analytics— are making insider threats harder to identify.

Security intelligence methods offer a smart approach to combating insider threats, enabling the following foundational security elements:

  • Data protection and redaction
  • Security intelligence and analytics
  • Privileged user monitoring
  • Identity and access management

IBM Security Privileged Identity Manager can ease the burden of tracking and administering privileged identities within your organization, regardless of whether it is an authorized insider being used by a hacker, an authorized insider purposely misusing corporate data, or an outsider who has assumed the identity of a privileged insider.

Task areas

Privileged Identity Manager performs five major tasks to ease the work involved in managing the security risk authorized insiders can invoke:

  • Manages privileged user identities centrally
  • Defines privileged roles and entitlements
  • Reduces overhead and risk by consolidating privileged accounts
  • Controls access and tracks usage of shared identities
  • Provides automated password management

Manage privileged user identities centrally

Privileged Identity Manager lets you manage and audit privileged user identities as a pool that can be checked in and checked out by authorized people. You can add, remove, and change privileged access from a central location. It automates the single sign-on and check-in and check-out processes to simplify the process and also automates the ID approval and recertification processes. The system even enables self-service requests to help you improve productivity.

Define privileged roles and entitlements

By using automation to make it easier to define privileged roles and entitlements, Privileged Identity Manager improves productivity while strengthening security. It helps secure provisioning of privileged user accounts, provides an encrypted vault for storing privileged user credentials, and offers timed automatic check-in that gives users a limited time to use a privileged identity.

Consolidate privileged accounts

Consolidating privileged accounts is another capability that Privileged Identity Manager employs to ease management of a growing number of IDs. It enables shared access among a predefined group of users; provides single sign-on for each user in the group to a designated shared account, even as the password is updated; and allows users to request access to a privileged account using shared identity services.

Control access and track usage of shared identities

Tracking and monitoring shared and privileged identities is a critical capability of Privileged Identity Manager. It allows you to track identities through such methods as:

  • Fine-grained activity logging for all identities
  • The ability to capture how a privileged identity was used
  • The ability to capture what a user did with a privileged identity
  • A configuration that can enforce strict check-in and check-out of a pool of shared accounts
  • The ability to ensure privileged identities are checked out exclusively by individual users
  • The ability to record steps of authentication and privileged account actions in a detailed audit trail

Provide automated password management

And to round out the tasks, Privileged Identity Manager delivers automated password management. It automates the check-out of identities, hides passwords from the requesting employee, requires password resets upon check-in to help eliminate password theft and reuse, establishes a self-service interface for users to optionally check-in and check-out credentials and view passwords, and enables password reset to run at check-in to help ensure that passwords aren't compromised.

Tools for the next step

Privileged identity management can scale quickly into a complex, multivariate task. To ease the pain of providing a 24/7, always-on-guard, privileged-ID IT patrol, you should keep the concepts of automation and analytics in mind:

  • Automation of common authentication and password management tasks, as well as automating the more urgent tracking-data-gathering and alert-generation tasks, essentially provides you with more virtual watchmen, allowing you to more fully focus on the critical and time-sensitive decision-making.
  • Analytics is the basis of intelligent security: Fast analysis of massive amounts of data transactions by privileged users can identify patterns of security abuses. Analytics provides you with more virtual analysts, which strengthens your decision-making team.

IBM Security Privileged Identity Manager is designed to provide these capabilities and to get them easily integrated into your organization.

Following are some tools you can use to speed up your learning process about Privileged Identity Manager, including an accelerator that provides lots of bits of knowledge about the product and the processes involved in privileged identity management.

  • The IBM Security Privileged Identity Manager product site (see Resources): Provides detailed information about the product, plus a whitepaper on the evolution of insider threats, a data sheet on how the product mitigates insider threats, a video that demonstrates how the product enables tracking of privileged users, a link to the latest IBM X-Force Annual Trend and Risk Report, and a webcast that details how to automate privileged user access management.
  • The IBM Security Privileged Identity Manager Information Center (see Resources): A user guide that provides:
    • A list of learning resources (what's new, accessibility features, introductory concepts, quick start and deployment guides, and IBM Redbooks® links)
    • Step-by-step tasks guides (installation and configuration tasks plus troubleshooting documentation)
    • Links to community discussion spaces and IBM support
  • IBM Security Privileged Identity Manager on developerWorks (see Resources): Part of the accelerator library, this wiki offers a list of how-to guides that demonstrate:
    • Installation and configuration for Privileged Identity Manager deployment
    • Implementation of a pool of delegated administrators or help desk users who can access privileged IDs
    • Implementation details for application administrators who need ad-hoc privileged access
    • Implementation details for admins who need to access emergency privileged IDs
    • Implementation details for applications or cron jobs that need access to privileged IDs
    • Implementation details for multiple network admins who need to share single superuser account to network device
    • How to automatically remove users from a role
    • How to automatically reset passwords for shared accounts
  • The Privileged Identity Accelerator wiki (see Resources): Offers details about IAM Business Value Accelerators targeted for IBM Security Privileged Identity Manager deployment scenarios. It provides links to the guides found in the previous entry plus video demonstrations for some of the guides.
  • IAM Business Value Accelerators community (see Resources): In addition to offering a portal to Privileged Identity Manager accelerator resources, it links you to accelerator resources for IBM cloud, mobile, and compliance and governance products and processes.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

Zone=Security, Big data and analytics
ArticleTitle=IBM Security Privileged Identity Manager: Automate ID management