It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account Discovery job workflow.
To add an Account Discovery job
- Navigate to Asset Management > Discovery > Accounts.
- Click New Account Discovery Job to open the New Account Discovery Job dialog.
- On the General tab, enter the following information:
-
On the Information tab, enter the following information:
-
Discovery Type: Select the platform. Make sure the Discovery Type is valid for the assets associated with the partition selected on the General tab.
-
Discover Services: (For Windows accounts only and deselected by default) Select this check box so that when the discovery job is run, services are discovered.
If Discover Services is selected, the Automatically Configure Dependent Systems check box is also available. Select this check box so that any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. Once dependencies are found they can only be removed manually from Account Dependencies tab (asset).
-
The Account Discovery Rules tab is only available after an account discovery job has been created. For more information, see Adding an Account Discovery rule.
- On the Schedule tab, enter the following information:
-
Select a time frame:
- Never: The job will not run according to a set schedule. You can still manually run the job.
- Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
-
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.
-
Days: The job runs on the frequency of days and the time you enter.
For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.
-
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
-
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.
-
Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Run Every 10/Minutes and set Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.
If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.
-
Click OK.
-
Select the assets to which the account discovery rule applies using one of these approaches:
Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.
You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.
NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.
For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.
All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.
To add an Account Discovery rule
- Navigate to Asset Management > Discovery > Accounts.
- Select an existing account discovery job, and click View Details.
- On the Account Discovery Rules tab, click Edit.
- Click Add to open the New Account Discovery Rule dialog.
- Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
-
Find By: Select one of the types of search below.
If the Discovery Type on the previous Account Discovery dialog is Windows or Unix, you can search by Constraints or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
- Name: Select this option to search by account name.
- For a regular search (not directory), in Contains enter the characters to search.
- If you are searching a directory:
- Select Start With or Contains and enter the characters used to search subset within the forest.
When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
- Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
- Select Include objects from sub containers to include sub containers in the search.
- Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
- Group: Select this option to search by group name.
- Constraints: Select this option to search for accounts based on an account's property. Available Unix properties are GID, UID, Name, and Group. Available Windows and Directory properties are RID, GID, UID, Name, and Group. All are limited to 255 numeric characters.
IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.
-
Selections:
- RID (ranges): RID property only applies to Windows and Microsoft Active Directory. Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1000 followed by a space, then type in 5000-7000.
-
GID (ranges): Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 8 followed by a space, then type in 10-12.
-
UID (ranges): Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1 followed by a space, then type in 5-7.
-
Name (RegEx): Using Name (RegEx) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.
-
Group (RegEx): Using Group (RegEx) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.
- If you are searching a directory:
- Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
- To include sub containers in your search, select Include objects from sub containers.
- Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
- Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
- Password Sync Group: Click Browse to select a password sync group to control validation and reset across all associated accounts. You can also use Add to add a new sync group. See: Password sync groups.
- Password Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a password profile to identify the configuration settings for the discovered accounts. You can also use New Profile to add a new password profile. For more information, see Password Profiles tab (partitions).
-
Set default password: If Set default password is selected, the password you enter is a placeholder for the discovered asset until the password is changed for the first time on the asset. If Set default password is not selected, no password is stored until the password is changed for the first time on the asset. If the account is requested before the password is changed, an error may result.
The default password is set in Safeguard for Privileged Passwords but not on the asset.
NOTE: If an Account Discovery Rule is configured to set a password, and a password profile (selected via the Assign to Password Profile option) is also configured to automatically change passwords, the change password schedule takes precedence and the account will have its password changed upon discovery.
- SSH Key Sync Group: Click Browse to select the SSH key sync group. For more information, see SSH Key Sync Groups settings.
- SSH Key Profile: If a profile was not automatically assigned for a sync group, cFor more information, see SSH Key Profiles tab (partitions).
-
Set default SSH Key: Select to set a default SSH key. On the Import an SSH Key dialog, you can import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.
When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.
NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.
-
Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
- Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which they are an authorized user.
- Enable SSH Key Request: This check box is selected by default, indicating that SSH key release requests are enabled for this account. Clear this option to prevent someone from requesting the SSH key for this account. By default, a user can request the SSH key for any account in the scope of the entitlements in which they are an authorized user.
-
Enable API Key Request: This check box is selected by default, indicating that API key release requests are enabled for this account. Clear this option to prevent someone from requesting the API key for this account. By default, a user can request the API key for any account in the scope of the entitlements in which they are an authorized user.
- (For directory accounts only) Available for use across all partitions (Global Access): When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
- Tags: This tab allows you to select tags or add new tags with rules.
- Click Apply.
- Click OK to save the Account Discovery job.
You can delete an Asset Discovery job.
To delete an Account Discovery job
- Navigate to Asset Management > Discovery > Accounts.
- Select an Account Discovery job.
- Click Delete to delete the selected Account Discovery job.
- Click Yes.
You can view the results of running one or more Account Discovery jobs. To see the results of discoveries, see Discovered Accounts
To view Account Discovery results
- Navigate to Asset Management > Discovery > Accounts (add or edit a Account Discovery job).
- On the Account Discovery Results tab:
- Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
- Click Refresh to refresh the results.
- View the following information displays for each job:
- Date/Time: The most recent date the Account Discovery job successfully ran.
- User: The user who ran the job or Automated System, if the job is run on an automated schedule.
- Event: The outcome of running the Account Discovery job event, which may be Account Discovery Succeeded, Account Discovery Failed, or Account Discovery Started.
- Asset: The asset which is associated with the Account Discovery job.
- Partition: The partition in which the discovered accounts will be managed.
- Profile: The profile which will govern the discovered accounts.
- Appliance: The name of the Safeguard for Privileged Passwords Appliance.
- # Accounts: The number of accounts found during the discovery job; click to view details.