Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 7.0.2 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Account Automation

Also available as a pane on the Home page, the Asset Management > Account Automation page allows Asset Administrators to view information regarding accounts that are failing or succeeding different types of tasks. This page includes both automated and manual tasks in the results. Clicking one of the tasks on the view displays additional information.

Account Automation: Types

Information on the following account automation tasks is displayed by default. Click the button to customize the tasks that are displayed.

  • Password Check Failures: Displays a list of accounts where password check tasks failed.
  • Password Change Failures: Displays a list of accounts where password change tasks failed.
  • SSH Key Check Failures: Displays a list of accounts where SSH key check tasks failed.
  • SSH Key Change Failures: Displays a list of accounts where SSH key change tasks failed.
  • SSH Key Discovery Failures: Displays a list of accounts where SSH key discovery tasks failed.
  • SSH Key Revoke Failures: Displays a list of accounts where SSH key Revoke tasks failed.
  • Suspend Account Failures: Displays a list of accounts where suspend tasks failed.
  • Restore Account Failures: Displays a list of accounts where restore tasks failed.
  • Password Check Successes: Displays a list of accounts where password check tasks succeeded in the past 24-hours.
  • Password Change Successes: Displays a list of accounts where password change tasks succeeded in the past 24-hours.
  • SSH Key Check Successes: Displays a list of accounts where SSH key check tasks succeeded in the past 24-hours.
  • SSH Key Change Successes: Displays a list of accounts where SSH key change tasks succeeded in the past 24-hours.
  • SSH Key Discovery Successes: Displays a list of accounts where SSH key discovery tasks succeeded in the past 24-hours.
  • SSH Key Revoke Successes: Displays a list of accounts where SSH key Revoke tasks succeeded in the past 24-hours.
Account Automation: Toolbar

After selecting a task to view additional information, use the toolbar at the top of the details grid to perform the following tasks.

  • View Details: After selecting a task from the table, click this button to view additional information on the task.
  • Re-Run Task: Available for failed tasks only, select to rerun the selected task.
  • Export: Select to create a .csv or .json file of the currently displayed account automation grid and save it to a location of your choice. For more information, see Exporting data.
  • Refresh: Select to refresh the data displayed in the table.
  • Columns: Select to display a list of columns that can be displayed in the grid. Select the check box for data to be included in the grid. Clear the check box for data to be excluded from the grid.

Accounts

A Safeguard for Privileged Passwords account is a unique identifier that Safeguard for Privileged Passwords uses to control access to assets. Managed accounts (including directory accounts and service accounts) and groups of accounts can be associated with an asset. Each account has an associated asset; if you delete an asset, Safeguard for Privileged Passwords permanently deletes all the accounts associated with it.

The Auditor and the Asset Administrator have permission to access Accounts.

On Unix assets, the accounts are stored in etc/passwd; however, each platform implements this concept differently.

Service accounts are designated with a Service Account icon. For more information, see About service accounts.

To access Accounts:

  • web client: Navigate to Asset Management > Accounts. If needed, you can use the partition drop-down to select the parent partition of the account. Select an account, then click to display additional information and options.

Selecting one of the accounts displays the following information:

For information about configuring Account Discovery in Safeguard for Privileged Passwords, see Account Discovery job workflow.

Use these toolbar buttons to manage accounts.

  • New Account: Add accounts to Safeguard for Privileged Passwords. For more information, see Adding an account.
  • Delete: Remove the selected account. For more information, see Deleting an account.
  • View Details: Select an account then click this button to open additional information and options for the account.
  • Account Security: Menu options include:
  • Access Request: Allows you to enable or disable access request services for the selected account. Menu options include:
    • Enable Password Request
    • Disable Password Request
    • Enable Session Request
    • Disable Session Request
    • Enable SSH Key Request
    • Disable SSH Key Request
  • Discover SSH Keys: Run the SSH Key Discovery job.
  • Show Disabled: Display the accounts that are not managed and are disabled and have no associated assets.
    • Click Disable to prevent Safeguard for Privileged Passwords from managing the selected account.
    • Click Enable to manage the selected account and assign it to the scope of the default profile.
  • Hide Disabled: Hide the accounts that are not managed and are disabled and have no associated assets.
    • Click Disable to prevent Safeguard for Privileged Passwords from managing the selected account.
    • Click Enable to manage the selected account and assign it to the scope of the default profile.
  • Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.
  • Refresh: Update the list of accounts.
  • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box.

Properties (account)

The Properties tab lists information about the selected account.

To access Properties:

  • web client: Navigate to Asset Management > Accounts > (View Details) > Properties.

Information for the account displays. Not all the information listed below is applicable for every account.

There are two buttons available on the top of the Properties tab:

  • Account Security: Menu options include:
  • Discover SSH Keys: Use this option to run the selected SSH Key Discovery job.
  • Enable-Disable: Select one of the following:

    Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.

The following fields display on the secondary tabs on the Properties tab based on the type of asset (for example, Windows, Linux, LDAP, or Active Directory). Clicking the Edit button on one of the secondary tabs allows you to edit the account.

Table 71: Accounts Properties tab: General properties
Property Description
Name The name of the selected account.

Description

Description of the selected account.

Asset

The display name of the managed system associated with this account. Accounts are only associated with one asset.

Table 72: Accounts Properties tab: Management properties
Property Description
Access Requests Indicates which type(s) of access requests are enabled for this account.

Password Profile

The name of the password profile that governs the accounts assigned to a partition.

When a password profile is inherited from an asset or partition this will be indicated by the text (Inherited) next to the name of the password profile. When the password profile is explicitly set, a button will appear that allows you to clear the explicitly set password profile and instead use the inherited password profile.

SSH Key Profile

The name of the SSH key profile.

When an SSH key profile is inherited from an asset or partition this will be indicated by the text (Inherited) next to the name of the SSH key profile.

When the SSH key profile is explicitly set, a button will appear that allows you to clear the explicitly set SSH key profile. Once the cleared profile change is applied, the assigned inherited profile will be displayed. If there is no default SSH key profile designated for the partition, the asset will no longer have an SSH key profile assigned. If there is no SSH key profile explicitly set on the asset, the accounts on that asset will no longer have an SSH key profile assigned. Designating a default SSH key profile for the partition will ensure all assets and accounts in that partition have an inherited SSH key profile.

Tags: Tag assignments for the selected account.

The information displayed in the Tags pane includes both the dynamic tags added through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags.

Delete: Click this button to delete the selected account.

Owners tab (account)

The Owners tab displays information about the owners associated with the account (and its associated assets). For more information on altering the owners assigned via tags, see Modifying an asset or asset account tag.

To access Owners:

  • web client: Navigate to Asset Management > Accounts > (View Details) > Owners.

The Owners tab has three views: Account Owners, Asset Owners, and Partition Owners.

Table 73: Accounts: Owners tab properties
Property Description

Account Owners

Type

The type of owner.

Name

The name of the owner.

Provider

The name of the authentication provider.

Direct

This column indicates the ownership of the object was assigned directly rather than through the use of a tag.

Via Tag

This column indicates the ownership of the object was assigned through the use of a tag.

Asset Owners

Type

The type of owner.

Name

The name of the owner.

Provider

The name of the authentication provider.

Direct

This column indicates the ownership of the object was assigned directly rather than through the use of a tag.

Via Tag

This column indicates the ownership of the object was assigned through the use of a tag.

Partition Owners

Type

The type of user or group.

Name

The name of the user or group.

Provider

The name of the authentication provider.

Use the following buttons on the details toolbar to manage the objects owned by the selected account.

Table 74: Accounts: Owners toolbar
Option Description

Add

Add one or more users or user groups to the selected account. For more information, see Adding users or user groups to an account.

Remove

Remove the selected object from being a manager of the selected account. You can only remove objects directly assigned to an account (as opposed to those assigned via the use of a tag).

Export

Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

Refresh

Update the list of owners/managers.

Search

To locate a specific object in this list, enter the character string to be used to search for a match. For more information, see Search box.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation