Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Passwords 6.7.4 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Adding an SSH Key Discovery job

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs SSH key discovery. For more information, see SSH Key Discovery job workflow.

To add an SSH Key Discovery job

  1. Navigate to Administrative Tools | Discovery | SSH Key Discovery.
  2. Click  Add to open the SSH Key Discovery dialog.
  3. Provide the following:
    1. Partition: Browse to select a partition.

    2. Name: Enter a name for the account discovery job. Limit: 50 characters.

    3. Description: Enter descriptive text about the SSH Key Discovery job. Limit: 255 characters

    4. To identify when to Discover SSH Key, click the link or click the Schedule button to view or change the schedule.

    5. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

      • Configure the following.

        To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

        Enter a frequency for Backup Every. Then, select a the time frame:

        • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.

        • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

        • Days: The job runs on the frequency of days and the time you enter.

          For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

        • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

          For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

        • Months: The job runs on the frequency of months at the time and on the day you specify.

          For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

      • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

        For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

        Enter Every 10 Minutes and Use Time Windows:

        • Start 10:00:00 PM and End 11:59:00 AM

        • Start 12:00:00 AM and End 2:00:00 AM

          An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

        If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

        For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

        For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

      • (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.

      If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

  4. Click OK.

SSH Key Discovery Results

You can view the results of running one or more SSH Key Discovery jobs. To see the results of discoveries, see Discovered SSH Keys

  1. Navigate to Administrative Tools | Discovery and click the SSH Key Discovery Results tile.
  2. On the SSH Key Discovery Results grid:
    • Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
    • Click Refresh to refresh the results.
  3. To display what you want in the grid, click Search and enter the character string to be used to search for a match. For more information, see Search box.
  4. View the following information displays for each job:

    • User: The user who ran the job or Automated System, if the job is run on an automated schedule

    • Date: The most recent date the SSH Key Discovery job successfully ran
    • Asset: The asset which is associated with the SSH Key Discovery job
    • Account: The account which is associated with the SSH Key Discovery job
    • Event: The outcome of running the SSH Key Discovery job event, which may be SSH Key Discovery Succeeded, SSH Key Discovery Failed, or SSH Key Discovery Started
    • Partition: The partition in which the discovered SSH keys will be managed
    • SSH Key Profile: The profile which will govern the discovered SSH keys
    • Appliance: The name of the Safeguard for Privileged Passwords Appliance
    • # SSH Keys Found: The number of SSH Keys found during the discovery job; click to view details
  5. For additional detail on an SSH Key Discovery job result, double-click the result row to view the SSH Key Discovery Results pop-up window. On this window, click # of Keys Found to see a list of the accounts.

Discovered SSH Keys

You can view the results of all SSH Key Discovery jobs that have ever run in a partition (in other words, all SSH keys ever discovered) and choose to manage or ignore the SSH keys.

SSH keys created display as managed SSH keys in the Discovered SSH Keys properties grid (see below).

Navigate to Administrative Tools | Discovery | Discovered SSH Keys tile.

Use these toolbar buttons to manage the discovered accounts.

Table 88: Discovery: Discovered SSH Keys toolbar
Option Description

Partition

Select the partition for the SSH key discovery.

Refresh

Retrieve and display an updated list of discovered SSH keys. Ignored SSH keys are not displayed if Hide Ignored is selected.

Search

Enter the character string to be used to search for a match. For more information, see Search box.

The following information displays.

Table 89: Discovery: Discovered SSH Keys properties grid
Property Description

Fingerprint

The fingerprint of the SSH key used for authentication.

Comment

Free form comment.

Key Type

The SSH authentication key type, such as RSA and DSA. For more information, see SSH Key Management settings.

Key Length

The supported RSA or DSA key length displays. For more information, see SSH Key Management settings.

Asset Name

The name of the asset where the SSH key was discovered.

Account

The name of the account where the SSH key was discovered.

Account Status

The status of the Safeguard account. If Safeguard manages the account, the value is Managed. If the account is disabled, the value is blank.

The Account Status column is controlled by the Manage and Ignore buttons on the Discovered Accounts grid. For more information, see Discovered Accounts.

SSH Key Profile

The name of the SSH key profile that governs the accounts assigned to a partition.

SSH Key Managed

Ignored means the SSH key will not show up in the grid. In other words, the SSH key is hidden. This is controlled by these actions at the top of the grid:

Manage

Ignore

Date/Time Discovered

The date and time when the SSH key was discovered.

Entitlements

A Safeguard for Privileged Passwords entitlement is a set of access request policies that restrict system access to authorized users. Typically, you create entitlements for various job functions; that is, you assign permissions to perform certain operations to specific roles such as Help Desk Administrator, Unix Administrator, or Oracle Administrator. Password and SSH key release entitlements consist of users, user groups, and access request policies. Session access request entitlements consist of users, user groups, assets, asset groups, and access request policies.

The Auditor and the Security Policy Administrator have permission to access Entitlements. An administrator creates an entitlement then creates one or more access request policies associated with the entitlement, and finally add users or user groups.

Go to  Administrative Tools and click Entitlements. The Entitlements view displays.

If there are one or more invalid or expired policies, a Warning and message like Entitlement contains at least one invalid policy. displays. Go to the Access Request Policy tab to identify the invalid policy. For more information, see Access Request Policies tab.

The following information displays about the selected entitlement:

  • General tab: Displays the general and time restriction settings information for the selected entitlement.
  • Users tab: Displays the user groups or users who are authorized to request access to the accounts or assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a Safeguard for Privileged Sessions join and was assigned and used by a Sessions Appliance. The certificate users created during the join can be added to the Users tab but are not there by default.
  • Access Request Policies tab: Displays the access request policies that govern the accounts or assets in the selected entitlement, including session access policies.
  • History tab: Displays the details of each operation that has affected the selected entitlement.

Use these toolbar buttons to manage entitlements.

Related Topics

Adding an entitlement

Modifying an entitlement

Creating an access request policy

Modifying an access request policy

Deleting an access request policy

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen