Skip to main content

PAM Inventory & Reconciliation

The PAM Inventory module manages your PAM tool's account inventory and reconciles it against the privileged accounts OrbisID discovers through scanning.

PAM Accounts

Navigate to PAM Inventory to manage PAM account records.

What is a PAM Account?

A PAM account is a record imported from your PAM tool (CyberArk, BeyondTrust, Delinea, etc.) that represents an account managed in that tool. OrbisID compares these records against its discovered accounts to find gaps.

Adding PAM Accounts

Manual Entry

  1. Click Add PAM Account
  2. Fill in the details:
FieldRequiredDescription
Account NameYesThe account name as it appears in the PAM tool
PAM ToolYesWhich PAM solution manages this account
Safe / ContainerNoThe PAM tool's grouping (e.g., CyberArk Safe name)
SystemNoThe target system this PAM account is for
StatusYesActive, Disabled, or Pending
  1. Click Save

CSV Import

  1. Click Import CSV
  2. Download the template for the correct column format
  3. Configure column mappings if your CSV has different column names
  4. Upload the file and review the preview
  5. Click Import

Live Scan (CyberArk, BeyondTrust, Bravura Privilege, Delinea, Senhasegura)

These five connectors can feed PAM Inventory directly from a live scan instead of a manual CSV import. On the Systems page, set the target system's System Type to PAM Platform and each scan will upsert PAM Account records automatically. Setting System Type to Application instead lists the same system's access on the normal Accounts and Entitlements pages — the two modes are mutually exclusive per system. All other PAM-classified connectors (Wallix Bastion, ARCON PAM, One Identity Safeguard, Teleport, HashiCorp Vault, Delinea Privilege Manager) always feed Accounts/Entitlements, since they scan console/admin users rather than vaulted credentials.

PAM Account Statistics

The statistics bar shows:

MetricDescription
TotalAll PAM account records
ActiveCurrently active in the PAM tool
MatchedSuccessfully matched to a discovered account
UnmatchedNot yet matched

Reconciliation

Navigate to PAM Inventory > Reconciliation to compare your PAM inventory against discovered accounts.

PAM Reconciliation

Running Reconciliation

  1. Click Run Reconciliation
  2. OrbisID compares every discovered privileged account against the PAM inventory
  3. Results are categorised into statuses (see below)

Reconciliation Statuses

StatusMeaningAction Required
MatchedThe discovered account has a corresponding PAM accountNone - account is managed
UnmanagedThe discovered account is privileged but has no PAM accountOnboard to PAM tool
PAM OnlyThe PAM account exists but no matching account was discoveredInvestigate - may be stale
ExcludedManually excluded from reconciliationReview periodically

Understanding the Results

Linking PAM Accounts

Sometimes a discovered account and a PAM account don't match automatically because of naming differences (e.g., DOMAIN\admin vs admin@domain.com). You can manually link them:

  1. Find an unmatched account
  2. Click Link
  3. Search for the corresponding PAM account
  4. Confirm the link

Bulk linking is also available for linking multiple accounts at once.

Excluding Accounts

To exclude an account from reconciliation (e.g., a known exception):

  1. Select the account
  2. Click Exclude

Excluded accounts will not appear as "Unmanaged" in future reconciliation runs.

Privileged Access Attestation

Navigate to PAM Inventory > Attestations to have System Owners formally confirm which of their system's entitlements grant privileged access. A System Owner answers a short Yes/No questionnaire via a secure emailed link (no OrbisID login required), and their answers directly update each entitlement's Privileged flag.

How It Works

An attestation request can be triggered three ways:

TriggerWho / WhatScope
On-DemandAn Administrator or IAM Governance Manager selects systems and sends requests manuallyAll active entitlements on the system
ScheduledAn Attestation Reminder scan policy sweeps its assigned systems for due attestations (see Scanning > Policy Types)All active entitlements on the system
New EntitlementFires automatically when a scan discovers a brand-new entitlement, if the system has Notify on new Entitlement enabledJust the newly discovered entitlement

A System Owner must be assigned to a system (see Systems > System Owner & Attestation) before any attestation can be sent, and periodic attestation must be explicitly enabled per system.

Global Configuration (Administrator)

Go to the Configuration tab (Administrator role required) to set organisation-wide attestation settings:

FieldDescription
Privileged Access DefinitionFree-text explanation of what constitutes privileged access in your organisation. Shown to the System Owner at the start of every questionnaire.
Privileged DeterminationWhether an entitlement is marked Privileged if the owner answers Yes to any question, or only if they answer Yes to all questions.
Link Expiry (days)How many days an attestation link remains valid before it expires.
Attestation QuestionsThe Yes/No question bank asked for every entitlement on every questionnaire. Add, edit, reorder, or disable questions. A question that has already been answered on a submitted attestation cannot be deleted — disable it instead to preserve history.

Sending On-Demand Requests

Administrators and IAM Governance Managers can trigger attestation outside the regular schedule:

  1. Go to the Review tab
  2. Select one or more systems (each must have a System Owner assigned)
  3. Click Send On-Demand Request

Reviewing Status

The Review tab lists every system with attestation enabled:

StatusMeaning
CurrentAttestation has been completed within the configured period
DueNever completed, or the configured period has elapsed since the last completion
Awaiting OwnerA request has been sent and is still outstanding (not yet submitted or expired)
No OwnerAttestation is enabled but the system's owner has since been removed
Not ConfiguredAttestation is not enabled for this system

Click a system row to open its full attestation history — every request ever sent, who it went to, when it was sent, when (or whether) it was submitted, and whether it has expired.

The System Owner's Experience

When a System Owner receives an attestation email, they follow the secure link (no login required) to a page that:

  1. Shows the organisation's Privileged Access Definition
  2. Lists every entitlement in scope, each with the configured Yes/No questions
  3. Requires answering every question for every entitlement before submitting
  4. Requires ticking a confirmation checkbox that the information provided is correct

On submit, each entitlement's Privileged flag is set according to the configured determination mode (any-yes or all-yes), and the change cascades to inherited entitlements the same way a manual privilege override does. A link can only be submitted once.