It is the responsibility of an Authorizer Administrator or User Administrator to activate or deactivate users within Safeguard for Privileged Passwords. However, this state can only be changed within Safeguard for Privileged Passwords on users that have their identity source set to the Local provider. This state cannot be modified for directory users. A directory user's state must be modified in the directory and then synchronized with Safeguard for Privileged Passwords.
Deactivating a user will prevent that user from logging into Safeguard for Privileged Passwords and end any currently logged in session. However, an administrator cannot deactivate their own user.
Safeguard for Privileged Passwords can also be configured to automatically deactivate users who have not logged in within a configured time span. Note, this does not apply to directory users. For more information, see Local Login Control.
Typically, it is the responsibility of the Authorizer Administrator to delete administrator users and the User Administrator to delete non-administrator users.
IMPORTANT: When you delete a local user, Safeguard for Privileged Passwords deletes the user permanently. If you delete a directory user that is part of a directory user group, the next time it synchronizes its database with the directory, Safeguard for Privileged Passwords will add it back in.
( desktop client) To delete a user
- Navigate to Administrative Tools | Users.
- In Users, select a user from the object list.
- Click Delete Selected.
- Confirm your request.
( web client) To delete a user
- Navigate to User Management | Users.
- In Users, select a user from the object list.
- Click Delete.
- Confirm your request.
On the desktop client, Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar then click CSV Template Assistant for the dialog. For more information, see Creating an import file.
Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status.
To import objects
- In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
- Click Import from the toolbar.
- In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
-
When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
- Click OK. Safeguard for Privileged Passwords imports the objects into its database.
Considerations for valid and invalid data
Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
- Assets PlatformDisplayName property:
- If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform.
- If it does not find a partial match, it supplies the Other platform type.
- Users TimeZoneId property: If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone. Do not enter numbers or abbreviations for the TimeZoneId.
- Users Password property: Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Managed account users cannot be members of the Protected Users AD Security Group.
Additional information specific to directory import follows.
-
Import the directory (and service account) via Administrative Tools | Assets | Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
- Import users and user groups.
- Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
- Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
- Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
- Users
- Username
- Password (modifiable in LDAP and not modifiable in Active Directory)
- Description
- Groups
- Computer
- Name
- Network Address
- Operating System
- Operating System Version
- Description
Identity and Authentication Providers schema list
- Users
- Username
- First Name
- Last Name
- Work Phone
- Mobile Phone
- Email
- Description
- External Federation Authentication
- Radius Authentication
- Managed Objects
- Groups
It is primarily the responsibility of the Authorizer Administrator to set passwords for administrators. The User Administrator and Help Desk Administrator set passwords for non-administrator local users. These administrators can only set passwords for local users. Directory user passwords are maintained in an external provider, such as Microsoft Active Directory.
( web client) To set a local user's password
- Navigate to User Management | Users.
- Select a local user from the object list and perform one of the following:
- From the toolbar options, select Set Password.
- On the Properties tab, click Set Password.
- In the Set Password dialog, enter the new password.
- If you want to require the user to change their password during their next login, make sure the User must change password at next login check box is selected.
- Click Set Password. You must comply with the password requirements specified in the dialog. For more information, see Local Password Rule.