When you delete an account group, Safeguard for Privileged Passwords does not delete the associated accounts.
- Navigate to Administrative Tools | Account Groups.
- In Account Groups, select an account group.
- Click Delete Selected.
- Confirm your request.
- Navigate to Security Policy Management | Account Groups.
- In Account Groups, select an account group from the object list.
- Click Delete.
- Confirm your request.
A Safeguard for Privileged Passwords asset is a computer, server, network device, or application managed by a Safeguard for Privileged Passwords Appliance.
It is the responsibility of the Asset Administrator (or delegated partition owner) to add assets and accounts to Safeguard for Privileged Passwords. The Auditor has permission to access Assets. Account owners also have read permissions for the Properties and Accounts tabs for the assets associated with their account.
Before adding assets to Safeguard for Privileged Passwords, you must ensure they are properly configured. For more information, see Preparing systems for management.
Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted.
All assets must be governed by a profile identified on the General/Properties tab (asset group). All new assets are automatically governed by the default profile unless otherwise specified.
An asset can only be in one partition at a time identified on the General/Properties tab (asset group). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition.
You can identify a default partition and default profile so that when you add assets, the assets are added to the default partition and default profile. For more information, see Setting a default partition.
Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in Safeguard for Privileged Passwords, see Asset Discovery job workflow.
Using a domain controller (DC) asset
You can manage tasks and services on a domain controller (DC) asset. Dependent accounts are managed on the DC asset. A DC asset will only support updating dependent passwords. Account passwords for a domain controller are managed via the directory asset.
- Create the DC asset as windows server platform, using a directory authentication for the connection service account. For more information, see Adding an asset (desktop client) or Adding an asset (web client).
- Ensure that the service account for the task/service you want to manage is defined in the Directory asset. For more information, see Adding an account to an asset.
- Add an account dependency for the service account to the DC asset. For more information, see Adding account dependencies.
Using Check Point GAiA
Passwords and SSH keys can be managed on the Check Point GAiA platform, R76 through R80.30.
In addition to managing user accounts, Safeguard for Privileged Passwords can also manage the password for the Check Point expert command. The expert password appears as a normal user account in Safeguard for Privileged Passwords except that it is marked as a privileged account. This means that it cannot be used as a service account and you cannot generate or install an SSH key for the account.
The minimum requirements for choosing a service account for Check Point follow:
- The service account for Check Point must have CLI access enabled and must have the following RBA features enabled:
- read-write user
- read-only group
- In order to manage the expert password, the service account must also have the following RBA features enabled:
- read-write expert-password-hash
- read-write expert
To manage SSH keys, the service account must have a Unix shell configured as the login shell. If the UID is not 0, then sudo privileges will be required to elevate privileges.
When adding an asset, on the Management tab, you will select Check Point GAiA (SSH) as the Product and the Privileged Account displays expert.
Assets view
To access Assets:
- desktop client: Navigate to Administrative Tools | Assets and select an asset to display additional information and options.
- web client: Navigate to Asset Management | Assets. If needed, you can use the partition drop-down to select the parent partition of the asset. Select an asset, then click to display additional information and options.
The Assets view displays the following information about the selected system. Not all selections will be available for all assets.
Toolbar
Use these toolbar buttons to manage assets:
- Add Asset / New Asset : Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset (desktop client).
- Delete Selected / Delete : Remove the selected asset.
When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.For more information, see Deleting an asset.
- ( web client only) Edit: Select an asset then click this button to open additional information and options for the asset.
- Refresh: Update the list of assets.
- ( desktop client only) Import Assets: Add assets to Safeguard for Privileged Passwords. For more information, see Importing objects.
- Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key.
- Access Request: Allows you to enable or disable access request services for the selected asset. Menu options include Enable Session Request and Disable Session Request.
- Syncronize Now: Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.
- Show Disabled: Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by right-clicking on an asset and selecting Enable-Disable.
- Hide Disabled: Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by right-clicking an asset and selecting Enable-Disable.
On the desktop client, right-click on an asset to use these context menu options. On the web client, these options are located on the toolbar.
- Discover SSH Host Key: This option only applies to assets that exchange SSH host keys, such as Unix-based assets and Linux-based assets. Retrieves the latest SSH host key for the selected asset. The Discover SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not discovered on the asset, certain tasks will not be available for accounts associated with the asset, such as Check System, Check Password, and Change Password.
- Retrieve SSH Host Key: This option only applies to Cisco NX-OS assets, and is used to retrieve the latest SSH host key from the platform. The Retrieve SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not retrieved from the asset, sessions will not be available.
-
Set SSH Host Key: This option allows you to manually add the host key to an asset in cases where Safeguard for Privileged Passwords cannot discover the asset automatically (such as for an Other Directory asset).
- Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key.
- ( desktop client) Check Connection / web client Test Connection: Select to verify that Safeguard for Privileged Passwords can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity.
- Syncronize Now: Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.
- Enable-Disable: Select one of the following:
Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.
Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.
- Access Requests: Select Enable Session Request to allow session requests for the selected asset. Select Disable Session Request to disallow session requests for the selected asset.
- Discover Accounts: Run the associated Account Discovery job. For more information, see Account Discovery.
- ( desktop client only) Discover Services: Run the associated Account Discovery job that has Discovery Services selected. For more information, see Adding an Account Discovery job.
- Delete Selected / Delete : Remove the selected asset from Safeguard for Privileged Passwords. When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.
The General/Properties tab lists information about the selected asset.
To access General/Properties:
- desktop client: Navigate to Administrative Tools | Assets | General.
- web client: Navigate to Asset Management | Assets | (Edit) | Properties.
On the desktop client, large tiles at the top of the tab display the number of Accounts, Account Dependencies (when applicable), objects Owners, Access Request Policies, and Asset Groups associated with the selected asset. Clicking a tile heading opens the corresponding tab.
The following fields display based on the type of asset (for example, Windows, Linux, LDAP, or Active Directory).
Table 42: General tab: General properties
Name |
The asset name. |
Partition |
The name of the partition where the selected asset resides. |
Password Profile |
The name of the profile that manages the asset's accounts.
NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified. |
SSH Key Profile |
The name of the profile that manages the asset's accounts.
NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified. |
License Type |
If applicable (for example, for a Windows asset), indicates your license model, such as System or Desktop. |
Last Successful Account Discovery |
If applicable, the date and time of the last successful Account Discovery job. |
Next Account Discovery |
If applicable, the date and time of the next automated Account Discovery job as set in the Account Discovery job of the profile. See: Creating a password profile and Creating an SSH key profile. |
Directory (directory) |
The name of the directory where the asset was discovered. |
Domain Name (directory) |
The name of the domain where the asset was discovered. |
NetBios Name (directory) |
The NetBios name of the asset that was discovered. |
Distinguished Name (directory) |
The distinguished name of the asset that was discovered. |
Table 43: General tab: Management properties
Product |
The platform of the selected managed system. |
Version |
If applicable, the system version. |
Architecture |
if applicable, the operating system architecture. |
Network Address |
If applicable, the network DNS name or IP address of the managed system. |
Manage Forest (directory) |
If True, the whole forest is managed. |
Forest Root Domain Name (directory) |
The forest root domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain. |
Managed Domains |
If applicable, the managed domains. |
Available for discovery across all partitions |
If True, this asset is read-access available for Asset Discovery jobs beyond partition boundaries. |
Managed Network |
The managed network that is assigned for work load balancing. For more information, see Managed Networks. |
Enable Session Request |
If True, session access requests are enabled for the asset. |
RDP Session Port |
If applicable, the access port on the target server used for RDP session access requests. |
SSH Session Port |
If applicable, the access port on the target sever used for SSH session access requests. |
Telnet Session Port |
If connecting to TN3270 or TN5250, the port for connection. |
Sync additions every [number] minutes |
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the additions or modifications to objects. The date and time of the Last Sync, Last Failure Sync, and Last Success Sync display. The intervals are directory specific. |
Sync deletions every [number] minutes |
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the deletion of objects. The date and time of the Last Delete Sync, Last Failure Delete Sync, and Last Success Delete Sync display. The intervals are directory specific. |
Table 44: General tab: Account Discovery properties
Account Discovery |
Account discovery identifier. |
Last Successful Account Discovery |
The date and time of the last successful account discovery. |
Last Failed Account Discovery |
The date and time of the last failed account discovery. |
Next Account Discovery |
The date and time for the next account discovery. |
Last Successful Service Discovery |
The date and time of the last successful service discovery. |
Last Failed Service Discovery |
The date and time of the last failed service discovery. |
Next Service Discovery |
The date and time for the next service discovery. |
Table 45: General tab: Connection properties
Authentication Type |
How the console connects with the managed system. For more information, see Connection tab (add asset desktop client). |
Service Account Name |
The account used by Safeguard for Privileged Passwords to securely manage accounts and passwords on the asset. |
Service Account Domain Name |
The domain used to manage accounts and passwords on the asset. |
Service Account Distinguished Name |
The distinguished name of the service account. |
Service Account Password Profile |
The name of the password profile for the service account. For more information, see Creating a password profile. |
Service Account SSH Key Profile |
The name of the SSH key profile for the service account. For more information, see Creating an SSH key profile. |
Port |
The port used for connection. Default is 22. |
Connection Timeout |
The session timeout period. |
SSH Key Comment |
Human-readable information about the SSH key. Maximum length is 225 characters. |
SSH Key Fingerprint |
The managed system's public host key fingerprint used to authenticate to the asset.
When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures. |
Table 46: General tab: Attributes properties (for example, for directories and LDAP)
User Attributes |
User attributes include:
Object Class
User Name
Password
Description
MemberOf
Alternate Login Name
NOTE:
By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.
This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v3/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object. |
Group Attributes |
Group attributes include:
Object Class
Name
Member |
Computer Attributes |
Computer attributes include:
Object Class
Name
Network Address
Operating System
Operating System Version
Description |
Tags: Tag assignments for the selected asset. The tiles listed under in the Tags pane display both the dynamic tags assigned to the asset through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags using this pane.
Description: Information about the selected asset.
Table 47: Properties tab: General properties
Name |
The asset name. |
Description |
Description of the selected asset. |
Table 48: Properties tab: Connection properties
Platform |
The platform of the selected managed system. |
Version |
If applicable, the system version. |
Architecture |
if applicable, the operating system architecture. |
Network Address |
If applicable, the network DNS name or IP address of the managed system. |
Authentication Type |
How the console connects with the managed system. For more information, see Connection tab (add asset desktop client). |
Telnet Session Port |
If connecting to TN3270 or TN5250, the port for connection. |
Manage Forest (directory) |
If True, the whole forest is managed. |
Forest Root Domain Name (directory) |
The forest root domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain. |
Managed Domains |
If applicable, the managed domains. |
Enable Session Request |
If True, session access requests are enabled for the asset. |
Port |
The port used for connection. Default is 22. |
RDP Session Port |
If applicable, the access port on the target server used for RDP session access requests. |
SSH Session Port |
If applicable, the access port on the target server used for SSH session access requests. |
Telnet Session Port |
If connecting to TN3270 or TN5250, the port for connection. |
SSH Host Key Fingerprint |
The managed system's public host key fingerprint used to authenticate to the asset.
When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures. |
Sync additions every [number] minutes |
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the additions or modifications to objects. The date and time of the Last Sync, Last Failure Sync, and Last Success Sync display. The intervals are directory specific. |
Sync deletions every [number] minutes |
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the deletion of objects. The date and time of the Last Delete Sync, Last Failure Delete Sync, and Last Success Delete Sync display. The intervals are directory specific. |
Table 49: Properties tab: Management properties
Partition |
The name of the partition where the selected asset resides. |
Password Profile |
The name of the profile that manages the asset's accounts.
NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified. |
SSH Key Profile |
The name of the profile that manages the asset's accounts.
NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified. |
Managed Network |
The managed network that is assigned for work load balancing. For more information, see Managed Networks. |
Available for discovery across all partitions |
If True, this asset is read-access available for Asset Discovery jobs beyond partition boundaries. |
Enable Session Request |
If True, session access requests are enabled for the asset. |
Table 50: Properties tab: Account Discovery properties
Account Discovery |
Account discovery identifier. |
Description |
The description of the schedule. |
Schedule |
The account discovery schedule. |
Last Successful Account Discovery |
The date and time of the last successful account discovery. |
Last Failed Account Discovery |
The date and time of the last failed account discovery. |
Next Account Discovery |
The date and time for the next account discovery. |
Last Successful Service Discovery |
The date and time of the last successful service discovery. |
Last Failed Service Discovery |
The date and time of the last failed service discovery. |
Next Service Discovery |
The date and time for the next service discovery. |
Tags: Tag assignments for the selected asset. The information listed in the Tags tab displays both the dynamic tags assigned to the asset through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags using this tab.
Delete: Click this button to delete the selected asset.
An asset's Accounts tab displays the accounts associated with this asset.
Click Add Account/New Account from the details toolbar to associate an account with the selected asset.
To access Accounts:
- desktop client: Navigate to Administrative Tools | Assets | Accounts.
- web client: Navigate to Asset Management | Assets | (Edit) | Accounts.
Table 51: Assets: Accounts tab properties
Name |
Name of an account associated with the selected asset.
While you can associate an account with only one asset, you can log in to an asset with more than one account. |
Domain Name |
The domain name for the account and helps to determine the uniqueness of accounts. |
( desktop client only) Profile |
The name of the profile that manages the account. |
Service Account |
A check in this column indicates that the account is a service account. |
Password Request |
A check in this column indicates that password release requests are enabled for the account. Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account. |
Session Request |
A check in this column indicates that session access requests are enabled for the account. Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account. |
SSH Key Request |
A check in this column indicates that SSH key release requests are enabled for the account. Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account. |
Disabled |
A check in this column indicates that the asset is not managed, is disabled, and has no associated accounts. |
Password Profile |
A check in this column indicates a password is set for the account. For more information, see Checking, changing, or setting an account password. |
SSH Key |
A check in this column indicates an SSH key is set for the account. For more information, see Checking, changing, or setting an SSH key. |
Description |
Descriptive information entered when the account was added. |
( desktop client only) Global Access |
If available, a check in this column indicates that the asset is available for discovery across all partitions. For more information, see Available for discovery across all partitions (Global Access). |
SSH Key Profile |
The name of the SSH key profile. |
( web client only) Password |
A check in this column indicates that a password is set for the selected account. For more information, see Checking, changing, or setting an account password.. |
Use these buttons on the details toolbar to manage your asset accounts.
Table 52: Assets: Accounts tab toolbar
Add Account/New Account |
Add accounts to the selected asset. For more information, see Adding an account to an asset. |
Delete Selected / Delete |
Remove the selected account from the asset. |
( web client only) Edit |
Edit the selected account. |
Refresh |
Update the list of asset accounts. |
Account Security |
Menu options include:
- Check Password, Change Password, Set Password: For more information, see Checking, changing, or setting an account password.
- ( desktop client only) Toggle Global Access: For more information, see Available for discovery across all partitions (Global Access).
- Check SSH Key, Change SSH Key, Set SSH Key: For more information, see Checking, changing, or setting an SSH key.
|
( desktop client only) Password Archive |
Display the password history for the selected asset account. For more information, see Viewing password archive. |
( desktop client only) SSH Key Archive |
Display the SSH Key history for the selected asset account. For more information, see Viewing SSH key archive. |
( desktop client only) Discover SSH Keys |
Run the SSH Key Discovery job associated with the account. For more information, see SSH Key Discovery. |
Access Requests |
Select an option to enable or disable access request services for the selected account. Values are derived from whether the platform of the asset indicates it supports any of the following: Password Request, SSH Key Request, Session Request. You can enable or disable Password Request, Session Request, and SSH Key Request, as needed.
Service Accounts are created when the Asset is created and by default are not enabled for session or password access.
Discovered Accounts are controlled by the Account Discovery template that is used in discovering the accounts. They are a property of the rule template of the Account Discovery job. For more information, see Adding an Account Discovery rule. |
Enable-Disable |
Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.
Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts. |
( desktop client only) Set Password Profile |
Select a password profile to manage the selected asset account. |
( desktop client only) Set SSH Key Profile |
Select an SSH key profile to manage the selected asset account. |
Search |
To locate a specific asset account or set of accounts in this list, enter the character string to be used to search for a match. For more information, see Search box. |