Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 7.5.2 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Account Discovery tab (add asset)

The Account Discovery tab is only available after an Active Directory or SPS asset has been created. On the Account Discovery tab, the default is Do not perform account discovery.

To access Account Discovery:

  • web client: Navigate to Asset Management > Assets > Account Discovery.

The settings outlined in the following table are available by using the Add or Edit option available from the Account Discovery tab.

Table 119: Account Discovery tab properties
Property Description
Description

Select the description of the discovery job desired and the details of the configuration display.

Click Add to add a job or Edit to edit the job. You can click the drop-down and select Do not perform account discovery.

Partition The partition in which to manage the discovered assets or accounts.
Discovery Type The type platform, for example, Windows, Unix, or Directory.

Directory

The directory for account discovery.

Account Discovery Rules

You can click Add, Delete, Edit, or Copy to update the Rules grid.

Details about the selected account discovery setting rules may include the following based on the type of asset.

  • Name: Name of the discovery job.
  • Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule..
  • Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
  • Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
  • Set default password: A check mark displays if the rule causes default passwords to be set automatically.
  • Set default SSH key: A check mark displays if the rule causes default SSH keys to be set automatically.
  • Assign to Password Profile: The password profile assigned.
  • Assign to Sync Group: The name of the assigned password sync group.
  • Assign to SSH Key Profile: The name of the assigned SSH Key profile.
  • Assign to SSH Key Sync Group: The name of the assigned SSH Key Sync group.
  • Enable Password Request: A check mark displays if the passwords is available for release.
  • Enable Session Request: A check mark displays if session access is enabled.
  • Enable SSH Key Request: A check mark displays if SSH key request is enabled.
Schedule

Click Schedule to control the job schedule.

Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)

  • Select a time frame:

    • Never: The job will not run according to a set schedule. You can still manually run the job.
    • Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
    • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.

    • Days: The job runs on the frequency of days and the time you enter.

      For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.

    • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

      For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

    • Months: The job runs on the frequency of months at the time and on the day you specify.

      For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.

  • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

    For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

    Enter Run Every 10/Minutes and set Use Time Windows:

    • Start 10:00:00 PM and End 11:59:00 PM
    • Start 12:00:00 AM and End 2:00:00 AM

      An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

    If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

    For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

    For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

Downloading a public SSH key

When you add an asset and select the Automatically Generate the SSH Key (SSH Key Generation and Deployment setting on the Connection page in the Asset dialog), Safeguard for Privileged Passwords allows you to download the SSH key so that you can manually install it on the asset.

To download a public SSH key

  1. Navigate to Asset Management > Assets.
  2. In Assets, select an asset that has an SSH key authentication type.
  3. Expand the SSH Host Key drop-down, and select Download SSH Key. The SSH key will be downloaded according to your browser's file download settings.

Partitions

A partition is a named container for assets that can be used to segregate assets for delegated management. It is the responsibility of the Asset Administrator to add partitions to Safeguard for Privileged Passwords. Partitions allow you to set up multiple asset managers, each with the ability to define password guidelines for the managed systems in their own workspace. Typically, you partition assets by geographical location, owner, function, or by operating system. For example, Safeguard for Privileged Passwords can enable you to group Unix assets in a partition and delegate the Unix administrator to manage it. Every partition should have a partition owner. For more information, see Adding a partition..

You must assign all assets, and the accounts associated with them, to a partition. By default, Safeguard for Privileged Passwords assigns all assets and their associated accounts to the default partition, but you can set a different partition as the default.

To access Partitions:

  • web client: Navigate to Asset Management > Partitions. Select a partition, then click to display additional information and options.

Selecting one of the accounts displays the following information:

Use these toolbar buttons to manage partitions.

About profiles

The profile includes the schedules and rules governing the partition’s assigned assets and the assets' accounts. For example, the profile defines how often a password check is required on an asset or account.

A partition can have multiple profiles, each assigned to different assets, if desired. An account is governed by only one profile. If an account is not explicitly assigned to a profile, the account is governed by the one assigned to the parent asset. If that asset does not have an assigned profile, the partition's default profile is assigned. When updating or restarting a service on a password change, the profile assigned to the asset is used for dependent account service modifications.

When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. You can create multiple profiles to govern the accounts assigned to a partition. Both assets and accounts are assigned to the scope of a profile.

For example, suppose you have an asset with 12 accounts and you configure the profile to check and change passwords every 60 days. If you want the password managed for one of those accounts every seven days, you can create another profile and add the individual account to the new profile. Now, Safeguard for Privileged Passwords will check and change all the passwords on this asset every 60 days except for this account, which will change every seven days.

Implicit and explicit association

It is important to understand the difference between implicit and explicit assignments to a profile.

Implicit associations

Safeguard for Privileged Passwords makes implicit assignments. For example, when you add an asset to Safeguard for Privileged Passwords, it automatically adds the asset to the default partition and assigns it to the scope of the default profile. This is called implicit association. Assets implicitly inherit the partition's default profile. Similarly, accounts inherit their parent asset’s profile. That means when you add an account to an asset, Safeguard for Privileged Passwords implicitly adds that account to its asset’s profile.

Later, if you reassign the asset to another profile, Safeguard for Privileged Passwords automatically reassigns all of the asset’s associated accounts to the new profile.

Explicit associations

Safeguard for Privileged Passwords allows you to explicitly add an asset or an account to a specific profile. When you explicitly assign an asset to a profile, it overrides the implicit inheritance from the partition so the asset's profile is no longer determined by its partition. Similarly, when you explicitly assign an account to a profile, Safeguard for Privileged Passwords overrides the implicit inheritance from the asset and the account’s profile is no longer determined by its asset.

Now, if you reassign the asset to another profile, Safeguard for Privileged Passwords will not reassign the asset’s associated accounts that were explicitly assigned to the old profile.

Resetting the default profile

If you set another profile as the default, Safeguard for Privileged Passwords implicitly reassigns all assets and their associated accounts to that new default, but it will not reassign any assets or accounts that you have explicitly assigned to a profile. Once the implicit inheritance is broken, changing a partition's default profile has no effect on the scope of a profile. For more information, see Setting a default profile.

Related Topics

Assigning assets or accounts to a password profile and SSH key profile

Assigning a profile to an asset

Password Profiles

SSH Key Profiles

How do I manage accounts on unsupported platforms

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation