NetIQ PAM lineage
Two decades of regulated-IAM deployment. Established case law in financial services, government, and Fortune 500 PAM programs.
OpenText • Identity and access management
OpenText Privileged Access Manager
OpenText Privileged Access Manager carries the NetIQ Privileged Account Manager lineage with credential vaulting, session recording, just-in-time elevation, and audit-ready evidence for regulated programs running heterogeneous server, database, and infrastructure access.
A Merito PAM engagement inventories the customer's actual privileged-account landscape, sequences vault deployment by use case (interactive admin first, service accounts second, application accounts third), and wires session recording, JIT elevation, and OpenText IAM line integration so PAM rolls out without breaking critical workflows.
- Best for
- Identity security architects designing PAM for regulated environments, IAM leaders modernizing legacy NetIQ Privileged Account Manager, Compliance leaders subject to privileged-access audit mandates (SOX, HIPAA, PCI DSS)
- Hosting
- Hybrid
- Time to value
- First privileged-account scope live in four to eight weeks. Session recording and JIT elevation live in eight to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Privileged Access Manager in the enterprise stack
OpenText Privileged Access Manager carries the NetIQ Privileged Account Manager lineage. PAM-shaped products solve a specific governance problem: privileged accounts (root, sa, Administrator, service accounts, application accounts) carry the highest impact when compromised, and traditional access-management approaches do not handle their lifecycle well. NetIQ has been doing PAM in regulated environments for two decades, and the engine covers vaulting, session recording, just-in-time elevation, and audit-evidence packaging.
Vaulting is the load-bearing capability. Privileged credentials get stored in the vault, rotated on a configurable cadence, and checked out by authorized users for specific sessions. Programs that rely on shared password lists or static service-account passwords find that credential rotation is impossible, audit evidence does not exist, and lateral-movement attacks succeed. Vaulting closes that gap: credentials rotate automatically, every checkout is logged, and the SOC has a clear forensic trail.
Session recording is the second capability that pays back during incidents. Privileged sessions (RDP into a domain controller, SSH into a database server, console access to a router) get recorded as video and metadata. When an incident happens, the IR team has a recording of exactly what the privileged user did. Without session recording, IR reconstructs from logs that may or may not be complete; with it, the evidence is direct.
What derails PAM adoption is operational scope creep. Programs that try to put every privileged account into the vault on day one find that their critical workflows break (DBAs cannot reset passwords automatically, automation pipelines lose their service-account access, scheduled jobs fail). The right pattern is to scope by use case (interactive admin sessions first, service accounts second, application accounts third) and sequence the rollout. Merito's engagement scopes by use case and treats the operating-model design as central work in the implementation.
Ideal use cases
- Privileged credential vaulting and rotation across heterogeneous infrastructure
- Session recording for regulated privileged sessions
- Just-in-time privileged elevation for sensitive operations
- Service-account and application-account credential management
- NetIQ Privileged Account Manager modernization
What it is best at
Where OpenText Privileged Access Manager earns its seat
Heterogeneous infrastructure coverage
Windows, Linux, Unix, mainframe, network devices, databases, cloud infrastructure. Programs running mixed environments get one PAM.
Session recording with metadata
Recorded privileged sessions paired with metadata logs for IR-grade forensic evidence.
Native pairing with the OpenText IAM line
Identity Manager provisioning, Identity Governance access reviews, and Access Manager SSO integrate with PAM-managed entitlements.
Just-in-time elevation
Time-bounded privileged access with auditable approval workflows. Programs avoid standing privileged access where it is not needed.
Core capabilities
OpenText Privileged Access Manager capabilities, grouped by outcome
Vaulting and rotation
Where PAM does the work on privileged credentials.
Credential vault
Centralized vault for privileged credentials with configurable rotation cadence and access policy.
Automated rotation
Programmatic credential rotation across Windows, Linux, Unix, databases, network devices, and cloud infrastructure.
Service-account management
Service-account and application-account credential management with automated rotation and consumer-aware updates.
Cloud privileged credentials
AWS IAM, Azure privileged identity, GCP service accounts, and other cloud privileged credential management.
Session management
Privileged sessions with recording and policy.
Session recording
Recorded RDP, SSH, console, and database sessions with searchable metadata.
Just-in-time elevation
Time-bounded privileged access with auditable approval workflows.
Live session monitoring
Real-time monitoring of active privileged sessions with intervention capability.
Command policy
Configurable command-allow and command-deny policies on privileged sessions.
Integration and audit
PAM inside the OpenText IAM line and the SOC.
OpenText IAM line integration
Identity Manager, Identity Governance, and Access Manager integration for coordinated privileged identity.
SIEM integration
Privileged-session events feed Core Threat Detection and Response and Enterprise Security Manager.
UEBA enrichment
Privileged-account behavioral analytics through Core Behavioral Signals.
Compliance reporting
Audit-ready evidence for SOX, HIPAA, PCI DSS, and regulated privileged-access mandates.
Where it fits in the stack
How OpenText Privileged Access Manager connects to the rest of your landscape
OpenText IAM and SecOps lines (native)
Native- OpenText Identity ManagerProvisioning into PAM-managed accounts.
- OpenText Identity GovernanceAccess reviews and SOD on privileged entitlements.
- OpenText Access ManagerSSO into PAM-managed sessions.
- OpenText Core Threat Detection and ResponsePrivileged-session events feed SaaS SIEM detections.
- OpenText Core Behavioral SignalsPrivileged-account behavioral analytics.
Infrastructure ecosystems (certified)
Certified- Windows, Linux, Unix, AIX, mainframeOS-level privileged credential and session management.
- Oracle, SQL Server, DB2, PostgreSQL, MySQLDatabase privileged credential and session management.
- Network devices (Cisco, Juniper, Palo Alto)Network-device console and privileged-access management.
- AWS, Azure, GCPCloud privileged-credential management.
Custom integrations
Custom- Internal applications and proprietary systemsCustom credential management for non-standard systems.
- DevOps automation and CI/CD pipelinesService-account credential delivery for automation pipelines.
- Federal compliance reportingFederal-aligned privileged-access compliance evidence.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First privileged-account scope live in four to eight weeks. Session recording and JIT elevation live in eight to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Prerequisites
- Privileged-account inventory and risk-tier definitions
- Named identity security and infrastructure operations owners
- Use-case scope (interactive sessions, service accounts, application accounts)
- Operating-model decision (in-house vs. partner-managed)
- Compliance-evidence requirements
- What Merito usually handles
- OpenText Privileged Access Manager runs on-prem, hybrid, or BYOC. Merito handles privileged-account inventory, vault deployment, session recording configuration, JIT elevation policy, and operating-model design.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Privileged Access Manager is licensed by privileged-account count, session volume, and deployment shape (on-prem, hybrid, BYOC). Pricing depends on coverage breadth and session-recording scope. License acquisition flows through Merito; the PAM program is scoped under a separate engagement.
- Editions and modules
Privileged Access Manager
Standard edition with vaulting, session recording, and JIT elevation.
Best for: Regulated programs running NetIQ-shaped privileged-access governance.
Privileged Access Manager with NetIQ Identity Manager
Bundled with Identity Manager for coordinated privileged identity lifecycle.
Best for: Programs running coordinated identity lifecycle and PAM.
- Common expansion areas
- Add Identity Manager for provisioning into PAM-managed accounts
- Add Identity Governance for access reviews on privileged entitlements
- Add Access Manager for SSO into PAM-managed sessions
- Add Core Behavioral Signals for privileged-account behavioral analytics
Merito services
How Merito helps you win with OpenText Privileged Access Manager
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Privileged Access Manager Implementation
Privileged-account inventory, vault deployment, session recording configuration, JIT elevation policy, OpenText IAM line integration, operating-model design.
Explore service02Upgrade and Migration
NetIQ Privileged Account Manager version upgrades and modernization.
Explore service03MAPS Assessment
PAM program scoping for OpenText Privileged Access Manager alongside CyberArk, BeyondTrust, and Delinea.
Explore service04DevOps Consulting
Service-account credential delivery for automation pipelines and DevOps integration.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Privileged Access Manager.
Explore service06Managed Services
Long-term partner-managed run for programs that want OpenText engineering without internal headcount.
Explore service07Training and Enablement
Role-based training for identity security architects, infrastructure operations leads, and compliance teams.
Explore service08Staff Augmentation
Merito-placed identity engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Privileged Access Manager licensing
License the vault. Sequence the rollout by account type. Same engagement.
PAM pricing arrives with privileged-account inventory, vault deployment, session-recording configuration, JIT elevation policy, and OpenText IAM line integration sequenced so the rollout doesn't break the workflows it's meant to protect.
Merito point of view
CyberArk leads PAM market share. NetIQ Privileged Access Manager is competitive in NetIQ-already-deployed customers.
Merito has scoped PAM programs where CyberArk is the right answer (programs picking the market-share leader, programs with cloud-native PAM as the priority) and others where OpenText Privileged Access Manager is the right answer (programs already running NetIQ, programs subject to OpenText catalog consolidation, programs that want PAM integrated with the rest of the NetIQ IAM line). Both decisions are valid; the right one depends on the program shape.
Merito recommends OpenText Privileged Access Manager specifically when the program runs NetIQ Identity Manager, Identity Governance, and Access Manager, or when OpenText IAM consolidation is the buying criterion. For programs picking specialist PAM depth, CyberArk is the market leader and BeyondTrust is competitive on session-recording depth. Merito surfaces those alternatives honestly during scoping.
Sequencing the rollout by use case is the load-bearing operational decision. Programs that try to put every privileged account into the vault on day one break critical workflows. The right pattern is interactive admin sessions first, service accounts second, application accounts third. Merito treats this sequencing as central work in the implementation.
What buyers usually underestimate
- Adopting PAM and trying to vault every account on day one, breaking critical workflows.
- Picking OpenText Privileged Access Manager when CyberArk would fit better for the program shape.
- Skipping session-recording configuration on regulated workloads, leaving IR forensic gaps.
- Treating PAM as standalone instead of integrating with the rest of the OpenText IAM line.
- Migrating off mature CyberArk deployments without an honest assessment of delta value.
Related from Merito
Continue exploring OpenText Privileged Access Manager on Merito
Related solutions
Related services
Related products
- OpenText Identity ManagerIdentity lifecycle and provisioning paired with PAM.
- OpenText Identity GovernanceAccess reviews on privileged entitlements.
- OpenText Access ManagerSSO into PAM-managed sessions.
- OpenText Core Behavioral SignalsPrivileged-account behavioral analytics.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Privileged Access Manager FAQs
Consultation request
Talk to Merito about OpenText Privileged Access Manager
Share your privileged-account landscape, infrastructure mix, and OpenText IAM footprint. A Merito OpenText specialist follows up within one business day.
NetIQ PAM lineage
Two decades of regulated PAM
Established case law in financial services, government, and Fortune 500 PAM programs.
OpenText IAM integration
Coordinated privileged identity
Identity Manager provisioning, Identity Governance access reviews, Access Manager SSO. PAM is not standalone.
Next step
Sequence the rollout. Do not vault every account on day one.
A Merito Privileged Access Manager engagement scopes by use case and sequences the rollout. Programs that try to vault everything at once break critical workflows.