Chatee ahora con Soporte
Chat con el soporte

One Identity Safeguard for Privileged Passwords 6.7.4 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Importing objects

Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click  Import from the toolbar then click CSV Template Assistant for the dialog. For more information, see Creating an import file.

Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status.

To import objects

  1. In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
  2. Click  Import from the toolbar.
  3. In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
  4. When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
  5. Click OK. Safeguard for Privileged Passwords imports the objects into its database.

Considerations for valid and invalid data

Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:

  • Assets PlatformDisplayName property:
    • If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
    • If it does not find a partial match, it supplies the Other platform type.
  • Users TimeZoneId property: If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone. Do not enter numbers or abbreviations for the TimeZoneId.
  • Users Password property: Safeguard for Privileged Passwords adds a user without validating the password you provide.

Details for importing directory assets, service accounts, users, and user groups

You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Managed account users cannot be members of the Protected Users AD Security Group.

Additional information specific to directory import follows.

  1. Import the directory (and service account) via Administrative Tools | Assets | Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.

    The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.

  2. Import users and user groups.
    1. Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
    2. Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
    3. Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.

Active Directory and LDAP synchronization

Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.

Asset schema list

  • Users
    • Username
    • Password (modifiable in LDAP and not modifiable in Active Directory)
    • Description
  • Groups
    • Name
    • Member
  • Computer
    • Name
    • Network Address
    • Operating System
    • Operating System Version
    • Description

Identity and Authentication Providers schema list

  • Users
    • Username
    • First Name
    • Last Name
    • Work Phone
    • Mobile Phone
    • Email
    • Description
    • External Federation Authentication
    • Radius Authentication
    • Managed Objects
  • Groups
    • Name
    • Members
    • Description

Setting a local user's password

It is primarily the responsibility of the Authorizer Administrator to set passwords for administrators. The User Administrator and Help Desk Administrator set passwords for non-administrator local users. These administrators can only set passwords for local users. Directory user passwords are maintained in an external provider, such as Microsoft Active Directory.

To set a local user's password

  1. Navigate to Administrative Tools | Users.
  2. Select a local user from the object list and perform one of the following:
    • Right-click, and select  Set Password from the context menu.
    •  Click  User Security and select  Set Password.
    • On the General tab next to Authentication, click Edit and click Set Password.
  3. In the Set Password dialog, enter the new password and click OK. You must comply with the password requirements specified in the dialog. For more information, see Local Password Rule.

Unlocking a user's account

If you are unable to log in, your account may have become "locked" and is therefore disabled. For example, if you enter a wrong password for the maximum number of times specified by the account Lockout Threshold settings, Safeguard for Privileged Passwords locks your account. For more information, see Local Login Control.

Typically, it is the responsibility of the Authorizer Administrator to unlock administrator accounts, and the User Administrator and Help Desk Administrator to unlock non-administrator local users.

To unlock a user's account

There are two ways to unlock a user account:

  • In Users, select a "locked" user, right-click, and select  Unlock from the context menu.
  • Click  User Security and select  Unlock.

User Groups

Safeguard for Privileged Passwords allows you to add both local user groups (a set of local users) and directory groups (a set of directory accounts) to User Groups. The Security Policy Administrator can add a group of users to an entitlement to authorize them to request access to the accounts and assets governed by the entitlement's access request policies.

User Groups is available to the Authorizer Administrator, User Administrator, Security Policy Administrator, and the Auditor. However, it is only available to the Authorizer Administrator and User Administrator if a directory has been added to Safeguard for Privileged Passwords.

The User Groups view displays the following information about the selected user or directory group.

Use these toolbar buttons to manage users.

Add User Groups: Add user groups to Safeguard for Privileged Passwords. For more information, see Adding a user group.

Add Directory Group: Add a directory user group to Safeguard for Privileged Passwords. For more information, see Adding a directory user group.

Delete Selected: Remove the selected user group. For more information, see Deleting a user group.

Refresh: Update the list of user groups.

  • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box.
    • Documentos relacionados

    The document was helpful.

    Seleccionar calificación

    I easily found the information I needed.

    Seleccionar calificación