Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

General tab

On the General tab, enter the following information for the access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 86: Access Request Policy: General tab properties
Property Description
Name

Enter a unique name for the access request policy.

Limit: 50 characters

Description

Enter descriptive text that explains the access request policy.

Limit: 255 characters

Priority

The priority of this policy compared to other policies in this entitlement.

If a user desires to access an account in the scope of two different request polices within an entitlement, then the policy with the highest priority (that is, the lowest number) takes precedence. For more information, see About priority precedence.

Access Type

Specify the type of access being requested:

  • Password
  • RDP
  • SSH
  • Telnet

NOTE: You can configure an access request policy for a password release, however, if the Privileged Passwords module license is not installed, you will not be able to submit a password release request.

Similarly, you can configure an access request policy for a session request, but if the embedded sessions module for Safeguard for Privileged Passwords license is not installed, you will not be able to initiate an RDP or SSH session request.

Have the Policy Expire on Date and Time If applicable, select this check box to enforce an expiration date for the policy. Enter the expiration date and time.

Scope tab

Use the Scope tab to assign accounts, account groups, assets, and asset groups to an access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

  1. On the Scope tab:

    1. Click Add from the details toolbar and select one of the following options:

      • Add Account Group
      • Add Account
      • Add Asset Group: Only available for a session access request (that is, when access type RDP, SSH, or Telnet is selected on the General tab.
      • Add Asset: Only available for a session access request (that is, when access type RDP, SSH, or Telnet is selected on the General tab.
    2. In the selection dialog, make a selection then click OK.

      If you do not see the selection you are looking for, depending on your Administrator permissions, you can create it in the selection dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)

  2. Repeat step one to make additional selections. You can add multiple types of objects to a policy; however, you can only add one type of object, like an accounts or account group, at a time.

All of the selected objects appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click Delete.

Requester tab

Use the Requester tab to configure the requester settings for an access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 87: Access Request Policy: Requester tab properties
Property Description
Reasons

Click Select Reason to add one or more reasons to the selected access request policy. Then, when requesting access to a password or a session, a user can select a predefined reason from a list. Click OK to add a reason.

NOTE: You must have reasons configured in Safeguard for Privileged Passwords to use this option. For more information, see Reasons. If you do not see the reason you are looking for, you can create a reason from the Reasons selection dialog by clicking the Create New toolbar button.

Require Reason

Select this check box to require that a requester provide a Reason when requesting access. This option is only available if you have selected Reasons for the policy.

If you add reasons to a policy, and leave this option cleared, the users will have the option of choosing a reason; but they will not be required to select a reason.

Require Comment

Select this check box to require that a requester provide a Comment when making an access request.

Require Ticket Number

Select this check box to require that a requester provide a ticket number when making an access request.

The ticket number can be defined and not validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used to approve a password or session request and is tracked through the Activity Center.

You can validate the ticket against your company's external ticket system, such as ServiceNow, or Remedy, or another ticketing system. To do this, you must have the ticketing system configured in Safeguard for Privileged Passwords to use this option.

For more information, see Ticketing systems.

Duration of Access Approval

Enter or select the default duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy. The access duration cannot exceed a total of seven days (10,080 minutes)

Allow Requester to Change Duration Select this check box to allow the requester the ability to modify the access duration.
Maximum Time Requester Can Have Access

If you select the Allow Requester to Change Duration option, you can set the maximum duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy.

The default access duration is seven days. The maximum access duration is 31 days.

The users can change the access duration, but they cannot access the accounts or assets governed by this policy for longer than the maximum access duration time.

Approver tab

Use the Approver tab to specify the approver settings for an access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 88: Access Request Policy: Approver tab properties
Property Description

Auto-Approved

Select this option to automatically approve all access requests for accounts and assets governed by this policy.

Notify when Account is Auto-Approved | To

(Optional) When no approvals are required, enter an email address or select To to choose a user to notify when access is auto-approved.

If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Approvals Required

Select this option to require approval for all access requests for accounts and assets governed by this policy. Enter the following information:

  • Qty: Enter or select the minimum number of approvals required from the selected users or user groups listed as Approvers.
  • Approvers: Browse to select one or more users or user groups who can approve access requests for accounts and assets governed by this policy.

    Use the Clear icon to remove an individual approver user or user group from this list or right-click and select Remove All to clear all users from the list.

    Click  Add or  Delete to add or remove approver sets.

    The order of the approver sets is not significant, but all requirements must be met; that is, a request must obtain the number of approvals from each approver set defined.

    The users you authorize as approvers receive alerts when an access request requires their approval if they have Safeguard for Privileged Passwords configured to send alerts.

    TIP:As a best practice, add user groups as approvers rather than individuals. This makes it possible to add an individual approver to a pending access request. In addition, you can modify an approvers list without editing the policy.

Notify if approvers have pending requests after

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before notifying the escalation notification contact list about pending approvals.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user. You can enter email addresses for non-Safeguard for Privileged Passwords users.

    If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

Important:Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Approval Anywhere has been enabled. View enabled users.

Indicates that the Approval Anywhere feature has been configured. Click the users link to view a list of the users who are authorized to approve requests using this feature.

You can add users as Approval Anywhere approvers by clicking the Add toolbar button in the Approval Anywhere Users dialog.

Documents connexes