Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Passwords 6.9 - Evaluation Guide

Exercise 3: Testing priorities

To determine which policy to use for a password release, Safeguard for Privileged Passwords considers both entitlement and policy priorities. Safeguard for Privileged Passwords first considers the entitlement priority, then the priorities of policies within that entitlement.

Test: Entitlement priorities

To test entitlement priorities, an account must be governed by two different entitlements.

  1. In the desktop client, as PolicyAdmin, navigate to Entitlements.
  2. Verify that the Linux Password Requests entitlement is priority #1.

    NOTE: Safeguard for Privileged Passwords displays the priority number under the entitlement name.

  3. In Account Groups, add the Windows account to the Linux Servers Accounts group.
  4. As Joe, request a password for the Windows account, for Sunday at 9:00 a.m.
    • Are Reasons and a Comment required? If so, then you know that Safeguard for Privileged Passwords used the entitlement; the Windows Password Requests entitlement does not require Reasons or Comments.
    • Did the Time Restriction prevent you from checking out this password? The Linux Password Requests entitlement only allows you to check out passwords Monday through Friday, from 8:00 a.m. to 5:00 p.m.
  5. Cancel the request.
  6. As PolicyAdmin, change the priority of these entitlements, making the Windows Password Requests priority #1, and run through this test again to see if you get different results.
    • Are Reasons and a Comment required? If not, then you know that Safeguard for Privileged Passwords used the Windows Password Requests entitlement as it does not require Reasons or Comments.
    • Did the Time Restriction prevent you from checking out this password? The Weekday Maintenance Policy only allows you to check out passwords Monday through Friday, from 8:00 a.m. to 5:00 p.m.
  7. Before you leave this test, change the priority back and remove the Windows account from the Linux Servers Accounts group.

Test: Policy priorities

To test policy priorities, an account must be in the scope of two policies within the same entitlement.

  1. Log in as PolicyAdmin and navigate to Administrative Tools.
  2. In Entitlements, add this new policy to the Windows Password Requests entitlement:

    General tab:

    • Policy Name: Sunday Maintenance Policy.
    • Description: The rules that define the request, approval, and review of password requests for the Windows Server Accounts on Sundays.
    • Access Type: Password Release

    Scope tab:

    • Windows Server Accounts group

    Requester tab:

    • Select all Reasons.
    • Require a Reason.
    • Require a Comment.
    • Select the Allow Requester to Change Duration option.

    Approver tab:

    • Require one person to approve a password request, then select the Abe account.

    Reviewer tab:

    • Require one person to review a past password release, then select the Ralph account.

    Access Config tab:

    • Ensure access type is Password Release
    • Select the Change password after Check-in check box.

    Time Restrictions tab:

    • Allow users to check out passwords only on Sunday.

    Emergency tab:

    • Enable Emergency Access.
  3. Verify that the Weekday Maintenance Policy is priority #1.
  4. As Joe, request a password for the Windows account, for Sunday at 9:00 a.m.
    • Are you required to add a Reason for your password request?

      If not, then you know Safeguard for Privileged Passwords used the Weekday Maintenance Policy which does not have Reasons or Comments enabled.

    • Did the Time Restrictions prevent you from checking out this password?

      The Weekday Maintenance Policy does not permit you to request a password on Sunday.

  5. Cancel the request.
  6. As PolicyAdmin, change the priority of these policies, making the Sunday Maintenance Policy priority #1, and run through this test again to see if you get different results.
    • Are you required to add a Reason for your password request?

      If so, then you know Safeguard for Privileged Passwords used the Sunday Maintenance Policy; the Weekday Maintenance Policy does not have Reasons or Comments enabled.

    • Did the Time Restrictions prevent you from checking out this password?

      The Sunday Maintenance Policy permits you to request a password on Sunday.

  7. Before you leave this test, change the policy priority back.
  8. Cancel the request and log out.

Auditing exercises

Now that you have performed some password request activities, you can audit the transaction data.

The appliance records all activities performed within Safeguard for Privileged Passwords. Any administrator has access to the audit log information; however, your administrator permission set determines what audit data you can access.

Safeguard for Privileged Passwords provides several ways to audit transaction activity:

  • Password Archive: Where you access a previous password for an account for a specific date.
  • SSH Key Archive: Where you access a previous SSH key for an account for a specific date.
  • Check and Change Log: Where you view an account's password and SSH key validation and reset history.
  • History: Where you view the details of each operation that has affected the selected item.
  • Activity Center: Where you can search for and review any activity for a specific time frame.
  • Work flow: Where you can audit the transactions performed as part of the workflow process from request to approval to review for a specific access request.
  • Reports: Where you can view and export entitlement reports that show you which assets and accounts a selected user is authorized to access.

The exercises in this section demonstrate Safeguard for Privileged Passwords's auditing capabilities. But before we start, let's create some password check and change activity.

These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords auditing features.

Exercise 1: Creating audit data

By following these steps, you will add some password check and change history to Safeguard for Privileged Passwords's audit log and you will learn how to manually verify and reset account passwords.

To perform password check and change activity

  1. Log in as AssetAdmin and navigate to Administrative Tools.
  2. In Accounts, select an account.
  3. Open the Account Security menu and notice the options: Check Password, Change Password, and Set Password using the Manual Password option.

    NOTE: These same options are available from an account's context menu.

  4. Check the password for the account.

    NOTE: The Tasks pane opens when you start a task. You can resize your desktop client console so that the Tasks pane is not covering the Administrative Tools.

    The "Check" option verifies the account password is synchronized with the Safeguard for Privileged Passwords database; this action should succeed.

    TIP: If Check Password fails, run Check Asset from the context menu of the asset to ensure that Safeguard for Privileged Passwords can communicate with it. Then retry the Check Password option on the account.

  5. Set the password for the account to Mypass01 using the Manual Password option.

    The Manual Password option manually sets the account password in the Safeguard for Privileged Passwords database; not on the appliance; so now they are not in sync.

  6. Check the password for the account.

    The Check option should fail because the account password is not in sync with the Safeguard for Privileged Passwords database.

  7. Change the password for the account.

    The Change option creates a new account password and synchronizes it on the Safeguard for Privileged Passwords database.

  8. Check the password for the account again.

    This task should now be successful.

Stay logged in as the AssetAdmin for the next exercise.

Exercise 2: Accessing the Password Archive

Password Archive allows you to access a previous password for an account for a specific date.

NOTE: The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset.

To access an account's previous password

  1. In Accounts, select the account you have been working with.
  2. Click Password Archive from the toolbar.
  3. In the Password Archive dialog, select today's (or a previous) date.

    TIP: If no entries are returned, this indicates that the asset is still using the current password.

  4. In the View column, click to display the password for the specified date.
  5. Either Copy the password, or click OK to close the dialog.
  6. Close Password Archive to return to Accounts.

Stay logged in as the AssetAdmin for the next exercise.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen