Chat now with support
Chat mit Support

Safeguard Remote Access Hosted - Administration Guide

Introduction Prerequisites Limitations Getting started Administrator-side use cases User-side use cases Appendix Glossary

Adding a new connection to an existing target server

Each target server can serve multiple connections. Connections consist of two elements:

  • an asset (which is the target server itself)

  • and an account (which is the Azure Active Directory account).

You can group these connections based on various attributes, such as the applied protocol (RDP, SSH or TELNET), the SPS connection policy name, or the address of the target server.

To add a new connection to an existing target server

  1. On the Connections page, Click New Connection.

    Figure 16: Connections > New Connection > Add new user to target server - Adding a new connection

  2. The Add new user to target server side sheet is split into two sections as connections comprise of assets and accounts. For Asset configuration:

    1. Specify the address of the target server that you want to access,

    2. Specify the access protocol of the new connection (for example, SSH, RDP or TELNET),

    3. Select a policy for this connection. To configure a policy in One Identity Safeguard for Privileged Sessions (SPS), navigate to Policies.

  3. For Account configuration, specify a username and optionally a domain name to log in to this asset.

  4. Click Create.

Configuring maximum client resolution

Configuring client resolution correctly results in a better stream quality.

NOTE: A higher client resolution results in higher network traffic load.

To configure maximum client resolution

  1. Click (Settings) and select Safeguard Remote Access Settings.

  2. Find Select maximum client resolution.

  3. Select the preferred client resolution.

    The default value is 1024x768.

NOTE: If the administrator sets a client resolution as maximum, that means that the user is free to select any of the available client resolutions up until the maximum resolution. For example, if the maximum client resolution is set to 1280x720, the user can still set the client resolution to 1024x768, but cannot set it higher than 1280x720.

Adding Azure Active Directory users directly

To allow your users to access specific servers through One Identity Safeguard Remote Access (SRA), add them to selected Azure Active Directory (AAD) groups. Adding AAD users directly to SRA simplifies the onboarding workflow, as there is no need to set up a One Identity Starling account.

With this approach, employees within an organization can visit, provide their AAD username and password and/or other credentials, and gain access to SRA connections permitted to them based on their group membership.


  • The employees of the organization are provisioned in AAD.

  • There is a user with Administrator role in that AAD. The Administrator must consent to One Identity Starling having read-only access to AAD, specifically to:

    • Read all users' full profiles

    • Read all groups

    • Sign in and read user profile

Figure 17: Allow One Identity Starling to have access to your Azure Active Directory user groups

To add Azure Active Directory users directly

  1. Log into One Identity Starling ( as an Organization-administrator and also as an Azure Active Directory Administrator.

  2. Click (Settings) and manage Directory Services.

  3. Click Register Directory and follow the instructions.

  4. Go to SRA and start setting up connections with role assignments. For more information, see Granting connection access to AAD users.

  5. Enable the role-based access control (RBAC) functionality. For more information, see Enabling role-based access control.

Granting connection access to AAD users

Use role assignment to organize your users and resources into groups based on access rights.

There are two ways to access One Identity Safeguard Remote Access (SRA):

  • When you are an Administrator, you can access SRA with a One Identity Starling account.

  • When you are a User, you can access either via your One Identity Starling account and with a User role, or enter with an Azure Active Directory (AAD) user account directly (as if you were a One Identity Starling user).

Access can be granted only to AAD groups, not to individual users. This can be achieved by assigning the Access role to AAD groups over connections. When a user logs in with AAD directly, SRA looks up their group memberships and lists only those connections where the Access role was assigned to one of the user's groups.

NOTE: Role-based access control is possible only when users log in with their AAD user account directly. When users log in with their One Identity Starling account, all connections are available for connecting.

Figure 18: Role assignment - organizing user and resource groups

To assign the Access role to a new group

  1. Navigate to the Connections page and click the (Options) on the connection card.

  2. Select Role assignment. The Edit access for <IP-address-of-target-server> side sheet will open on the right. The Access field displays all groups that have access to that connection.

  3. Click Add new group. A side sheet will open.

  4. Start typing a group name in the Group name search bar to find the groups you want to grant access rights to this connection. The search results will appear as you type (for example Group name, Group ID, Tenant ID). The search expression works both for a whole or a partial group name. You can select up to 15 groups.

    Figure 19: Connection tile > > Role assignment > Add new group — Finding your groups

    Figure 20: Connection tile > > Role assignment > Add new group — Adding a new group

  5. Click Select.

To remove role assignment for a group

  1. Find the group whose role assignment you want to remove and click the trashbin icon next to it. A confirmation dialog will appear.

  2. Confirm your delete request.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen