Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Adding authorized user for Approval Anywhere

Once Safeguard for Privileged Passwords is joined to Starling, use the Approval Anywhere pane to add the Safeguard for Privileged Passwords users that can use the Approval Anywhere feature to approve access requests.

NOTE: If you upgraded from a previous version of Safeguard for Privileged Passwords where you have already configured Approval Anywhere, your existing configure will continue to work. However, you will not be able to manage your Approval Anywhere users until you join Safeguard for Privileged Passwords to Starling. Once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.

TIP: Ensure OneTouch approvals is enabled on the two-factor authentication app on your mobile device.

To add users who are authorized to use Approval Anywhere

  1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
  2. Navigate to Administrative Tools | Settings.
  3. Select External Integration | Approval Anywhere.
  4. Click Add.
  5. In the Users dialog, select users from the list and click OK.

    NOTE: Approval Anywhere approvers must have a valid mobile phone number in E.164 format and a valid email address defined. If a user does not display a valid mobile phone number or email address, edit the user record before proceeding. For more information, see Modifying a user.

    E.164 format: +<country code><area code><phone number>

  6. Add these Approval Anywhere users as approvers in the appropriate access request policy. For more information, see Creating an access request policy.

Once a user is added as an Approval Anywhere user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's Starling 2FA mobile app. The approver can either approve or deny the access request directly from the Starling 2FA mobile app.

NOTE: Revoking an access request that has already been approved is not available via the mobile app. You must use the Safeguard for Privileged Passwords desktop or web client to perform that action.

Email

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.

Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.

TIP: You must configure the DNS Server and set up the user's email address correctly.

To configure the SMTP Server

  1. Navigate to Administrative Tools | Settings | External Integration | Email.
  2. To configure the email notifications, enter these global settings for all Safeguard for Privileged Passwords emails:
    SMTP Server Address

    Enter the IP address or DNS name of the mail server. When unspecified, Safeguard for Privileged Passwords disables the email client.

    NOTE: When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].

    NOTE: If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.

    SMTP Port

    Enter the TCP port number for the email service.

    Default: 25

    Range: 1 to 32767

    Sender Email

    Enter an email address to use as the "From" address for all emails originating from the appliance.

    Required if you specify the SMTP Server Address.

    Limit: 512 characters

    Require Transport Layer Security Select this option to require that Safeguard for Privileged Passwords uses TLS to provide communication security over the internet.

To validate your setup

  1. Select the Test Email Settings link.
  2. Enter a Send To email address of where to send the test message and click Send.

    Safeguard for Privileged Passwords sends an email using the configuration settings.

The grid at the bottom of this pane lists the email templates used to define the content to be included in email notifications. Use these toolbar buttons to manage email templates.

Table 150: Email template: Toolbar
Property Description
New

Add an email template.

NOTE: You can only add a previously deleted template.

Delete

Remove the selected email template.

Refresh

Update the list of email templates.

Edit

Modify the selected email template. For more information, see Modifying an email template.

Enabling email notifications

For users to receive email notifications, there are a few things you must configure properly.

To enable email notifications

  1. Users must set up their email address correctly.
    1. Local users:
      1. The Authorizer Administrator or User Administrator sets this up in the user's Contact Information. For more information, see Adding a user.

        -OR-

      2. Users set this up in their My Account settings. For more information, see User information and log out (desktop client).
    2. Directory users must have their email set in the Active Directory or LDAP domain.
  2. The Appliance Administrator must configure the SMTP server. For more information, see Email.

TIP: You can setup email subscriptions to any email event type through the API: https://<Appliance IP>/service/core/swagger/ui/index#/EventSubscribers. For more information, see How do I access the API.

Modifying an email template

Safeguard for Privileged Passwords provides default email templates for most events, such as when a password change fails or an access request is denied. However, you can customize individual email templates, for example to provide notification when emergency access is granted .

Each template corresponds to a single event type; the event triggers an email notification that uses the template.

To modify an email template

  1. Open the email template for editing. Navigate to Administrative Tools | Settings | External Integration | Email | Email Templates.
  2. In the Email Template dialog:
    1. Event: The event is selected when adding a new template. For more information, see Enabling email notifications.

    2. Subject: Edit the subject line for the email message.

      As you type, click  Insert Event Property Macro to insert predefined text into the subject line. For example, you may create the following subject line:

      Approval is required for {{Requester}}'s request

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note at the end of this topic.)

      Limit: 1024 characters

    3. Reply to: Enter the email address of the person to reply to concerning this notification.

      Limit: 512 characters

    4. Body: Enter the body of the message.

      As you type, click  Insert Event Property Macro to insert predefined text into the body. For example, you may create the following body for an email template:

      {{Requester}} has requested the password for {{AccountName}} on {{AssetName}}

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note below.)

      Limit: 16384 characters

    5. Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.

Note: Each event type supports specific macros that are appropriate for that type of event. You can enter the macro into the text of the subject line or body using keywords surrounded by double braces rather than inserting the macro. However, Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview.

Documents connexes