Access Key (web client)
On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using an access key.
Table 84: Access Key authentication type properties
Service Account |
Enter an account for Safeguard for Privileged Passwords to use for management tasks. For more information, see About service accounts. |
Access Key ID |
Enter the unique identifier that is associated with the secret key. The access key ID and secret key are used together to sign programmatic AWS requests cryptographically.
Limit: 32 alphanumeric characters |
Secret Key |
Enter a secret access key used to cryptographically sign programmatic Amazon Web Services (AWS) requests.
Limit: 40 alphanumeric characters; the + and the / characters are also allowed. |
Test Connection |
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection. |
Port |
Enter the port number to log in to the asset. |
Connection Timeout |
Enter the connection timeout period.
Default: 20 seconds |
None
When the asset's Authentication Type on the Connection tab is set to None, Safeguard for Privileged Passwords does not manage any accounts associated with the asset and does not store asset related credentials.
All assets must have a service account in order to check and change the passwords for the accounts associated with the asset.
Select the Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server. For more information, see Adding an archive server.
Management tab (add asset web client)
Use the Asset Management | Assets | Management tab to add the partition and profile to which the asset is assigned. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. All assets must be governed by a profile. New assets are automatically governed by the default profile unless otherwise specified.
The settings for an asset are shown below.
Table 85: Asset: Management tab properties
Partition |
Browse to select a partition for this asset. You can set a specific partition as the default, see Setting a default partition. |
Password Profile |
Browse to select a password profile to manage this asset's accounts.
You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.
Click Reset to set the profile to the current default.
The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile. |
SSH Key Profile |
Browse to select an SSH key profile to manage this asset's accounts.
You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.
Click Reset to set the profile to the current default.
The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile. |
Enable Session Request |
If applicable, this check box is selected by default, indicating that authorized users can request session access for this asset.
Clear this check box if you do not want to allow session requests for this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions. |
Available for discovery across all partitions |
Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; select this check box to allow the asset to be discovered across all partitions. |
Manage using hashed password |
Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; selecting this check box indicates password encryption will be performed by Safeguard when performing a Change Password operation. |
Managed Network |
The managed network that is assigned for work load balancing. For more information, see Managed Networks. |
Attributes tab (edit asset web client)
NOTE: The Attributes tab only appears after you have successfully added a new asset and is accessed by editing the asset.
In the web client, the Attributes tab is used to add attributes to directory assets (including Active Directory and LDAP). For more information, see Adding identity and authentication providers.
IMPORTANT: Some Active Directory attributes are fixed and cannot be changed.
Table 86: Active Directory and LDAP: Attributes tab
User |
ObjectClass |
Default: user for Active Directory, inetOrgPerson for LDAP
Click Browse to select a class definition that defines the valid attributes for the user object class. |
Username |
sAMAccountName for Active Directory, cn for LDAP |
Password |
userPassword for LDAP |
Description |
description |
MemberOf |
Blank by default, this attribute can be set to a directory schema attribute that contains the list of directory groups of which the user is a member. |
Alternate Login Name |
userPrincipalName
NOTE:
By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.
This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v3/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object. |
Group |
ObjectClass |
Default: group for Active Directory, groupOfNames for LDAP
Click Browse to select a class definition that defines the valid attributes for the computer object class. |
Name |
sAMAccountName for Active Directory, cn for LDAP |
Member |
member |
Computer |
|
ObjectClass |
Default: computer for Active Directory, ipHost for LDAP
Click Browse to select a class definition that defines the valid attributes for the computer object class. |
Name |
cn |
Network Address |
dNSHostName for Active Directory, ipHostNumber for LDAP |
Operating System |
operatingSystem for Active Directory |
Operating System Version |
operatingSystemVersion for Active Directory |
Description |
description |