Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 2.11 - Evaluation Guide

Exercise 2: Testing time restrictions

Now that you have seen the end-to-end password release process from request to approval to review, let's demonstrate how the entitlement and policy time restrictions affect a password request.

An entitlement's time restrictions enforce when Safeguard for Privileged Passwords uses a policy; a policy's time restrictions enforce when a user can access the account passwords. If the entitlement and the policy both have time restrictions, the user can only check out the password for the overlapping time frame.

Time restrictions control when the entitlement or policy is in effect relative to a user's time zone. Although Safeguard for Privileged Passwords Appliances run on Coordinated Universal Time (UTC), the user's time zone enforces the time restrictions set in the entitlement or policy. This means that if the appliance and the user are in different time zones, Safeguard for Privileged Passwords enforces the policy in the user's time zone set in his account profile.

Test: Entitlement time restrictions

  1. In the desktop client, as PolicyAdmin, navigate to Entitlements.
  2. Navigate to the General tab of the Linux Password Requests entitlement.
  3. Set the entitlement Time Restrictions to allow users to access passwords only during their lunch hour Monday through Friday.
  4. As Joe, assuming that it is currently not during your lunch hour, request a password for a Linux account, for a duration of five minutes.

    • Did Safeguard for Privileged Passwords allow you to check out this password? The request dialog disables the Request Immediately option. The request time will automatically be set for the next unrestricted time frame that allows the account password to be requested.
  5. Cancel the request (or return to your Home page).

Test: Entitlement expiration

  1. As PolicyAdmin, set the Time Restrictions for the Linux Password Requests role to 8:00 a.m. to 5:00 p.m. Monday through Friday.
  2. While you are in Time Restrictions, set this entitlement to expire today in 1 minute from now.
  3. Wait for the entitlement to expire.
    • Did you see Safeguard for Privileged Passwords's notification?

      Note: If you do not see the notification refresh your screen.

  4. As Joe, request a password for a Linux account.
    • Notice that the account is not available to check out. Safeguard for Privileged Passwords does not allow you to checkout accounts associated with expired entitlements.
  5. As PolicyAdmin, remove the expiration time from the Time Restrictions, but leave the entitlement Time Restrictions enforced.
  6. As Joe, request a password for the same Linux account.
    • Observe that you are now allowed to request passwords for the Linux Password Requests accounts.
  7. Cancel the request (or return to your Home page).

Test: Policy time restrictions

  1. As PolicyAdmin, set the policy Time Restrictions for the Weekday Maintenance Policy to allow users to access passwords 8:00 a.m. to 5:00 p.m. Monday through Friday.
  2. As Joe, request a password for the Windows account for Sunday at 2:00 p.m.
    • This request was denied because the Weekday Maintenance Policy does not allow you to check out accounts on Sunday.
  3. Cancel the request (or return to your Home page).

Exercise 3: Testing priorities

To determine which policy to use for a password release, Safeguard for Privileged Passwords considers both entitlement and policy priorities. Safeguard for Privileged Passwords first considers the entitlement priority, then the priorities of policies within that entitlement.

Test: Entitlement priorities

To test entitlement priorities, an account must be governed by two different entitlements.

  1. In the desktop client, as PolicyAdmin, navigate to Entitlements.
  2. Verify that the Linux Password Requests entitlement is priority #1.

    Note:Safeguard for Privileged Passwords displays the priority number under the entitlement name.

  3. In Account Groups, add the Windows account to the Linux Servers Accounts group.
  4. As Joe, request a password for the Windows account, for Sunday at 9:00 a.m.
    • Are Reasons and a Comment required? If so, then you know that Safeguard for Privileged Passwords used the entitlement; the Windows Password Requests entitlement does not require Reasons or Comments.
    • Did the Time Restriction prevent you from checking out this password? The Linux Password Requests entitlement only allows you to checkout passwords Monday through Friday, from 8:00 a.m. to 5:00 p.m.
  5. Cancel the request.
  6. As PolicyAdmin, change the priority of these entitlements, making the Windows Password Requests priority #1, and run through this test again to see if you get different results.
    • Are Reasons and a Comment required? If not, then you know that Safeguard for Privileged Passwords used the Windows Password Requests entitlement as it does not require Reasons or Comments.
    • Did the Time Restriction prevent you from checking out this password? The Weekday Maintenance Policy only allows you to checkout passwords Monday through Friday, from 8:00 a.m. to 5:00 p.m.
  7. Before you leave this test, change the priority back and remove the Windows account from the Linux Servers Accounts group.

Test: Policy priorities

To test policy priorities, an account must be in the scope of two policies within the same entitlement.

  1. Log in as PolicyAdmin and navigate to Administrative Tools.
  2. In Entitlements, add this new policy to the Windows Password Requests entitlement:

    General tab:

    • Policy Name: Sunday Maintenance Policy.
    • Description: The rules that define the request, approval, and review of password requests for the Windows Server Accounts on Sundays.
    • Access Type: Password Release

    Scope tab:

    • Windows Server Accounts group

    Requester tab:

    • Select all Reasons.
    • Require a Reason.
    • Require a Comment.
    • Select the Allow Requester to Change Duration option.

    Approver tab:

    • Require one person to approve a password request, then select the Abe account.

    Reviewer tab:

    • Require one person to review a past password release, then select the Ralph account.

    Access Config tab:

    • Ensure access type is Password Release
    • Select the Change password after Check-in check box.

    Time Restrictions tab:

    • Allow users to checkout passwords only on Sunday.

    Emergency tab:

    • Enable Emergency Access.
  3. Verify that the Weekday Maintenance Policy is priority #1.
  4. As Joe, request a password for the Windows account, for Sunday at 9:00 a.m.
    • Are you required to add a Reason for your password request?

      If not, then you know Safeguard for Privileged Passwords used the Weekday Maintenance Policy which does not have Reasons or Comments enabled.

    • Did the Time Restrictions prevent you from checking out this password?

      The Weekday Maintenance Policy does not permit you to request a password on Sunday.

  5. Cancel the request.
  6. As PolicyAdmin, change the priority of these policies, making the Sunday Maintenance Policy priority #1, and run through this test again to see if you get different results.
    • Are you required to add a Reason for your password request?

      If so, then you know Safeguard for Privileged Passwords used the Sunday Maintenance Policy; the Weekday Maintenance Policy does not have Reasons or Comments enabled.

    • Did the Time Restrictions prevent you from checking out this password?

      The Sunday Maintenance Policy permits you to request a password on Sunday.

  7. Before you leave this test, change the policy priority back.
  8. Cancel the request and log out.

Sessions access request exercises

The embedded sessions module in Safeguard for Privileged Passwords allows you to issue privileged access to users for a specific period or session and gives you the ability to record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements.

CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.

Before you begin:
  • Appliance Administrator:
    • Ensure the embedded sessions module for Safeguard for Privileged Passwords is licensed (Settings | Appliance | Licensing).
    • Ensure the Network Interface X1 is configured (Settings | Appliance | Networking).
    • Ensure the session request service is enabled (Settings | Access Request | Enable or Disable Services).
    • Safeguard for Privileged Passwords ships with default session certificates; however, it is recommended that you replace the default certificate with your own (Settings | Certificates | Session Certificates).
  • Security Policy Administrator: Ensure there is an entitlement with an access request policy for both SSH and RDP sessions defined. For more information, see Writing entitlements.
  • Ensure Remote Desktop is enabled for Windows machines that will use RDP.
  • Ensure the necessary SSH algorithms are configured for any Unix or Linux machines that will use SSH.

    NOTE:Safeguard for Privileged Passwords ships with default SSH algorithms configured for Unix and Linux machines. To add new algorithms, use the API endpoint:

    https://<Appliance IP>/service/core/swagger/SessionsSSHAlgorithm

These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords session request workflow process:

Exercise 1: Testing the SSH session request workflow

This exercise demonstrates the SSH session request workflow from request to approval to review.

Test: Request session

As Joe, the Requester user, perform the following.

  1. On your Home page, select New Request.
    • Request an SSH session for a Linux account.
    • Notice how the policy configuration dictates the user experience. For example, you are required to enter a reason and a comment.
  2. Open Requests and review your pending request.

Test: Approve sessions request

(web client) Did you receive a notification on your mobile phone? You can approve the request from your mobile device without being logged into Safeguard for Privileged Passwords. As Abe, the Approver user, click Approvals on the left of the page to complete the approval.

(desktop client) If you'd rather approve it using the desktop client proceed to the steps below.

As Abe, the Approver user, follow these steps:

NOTE: Notice Abe has an additional authentication step to take in order to log in to Safeguard for Privileged Passwords. In addition, since you have set up Approval Anywhere, you can use the Starling 2FA app on your mobile phone to complete the login process.
  1. Open Approvals and review the request waiting for your approval.
  2. Select Approve/Deny to approve Joe's session request.

Test: Launch the SSH session

As Joe, follow these steps:

  1. Once the session becomes Available, open the session request and select Launch SSH client.

    In the web client, a session will launch if you have an application registered (ssh:// for SSH protocol).

    In the desktop client, the PuTTy Configuration dialog displays pre-populated with the required information. Click Open.

  2. Accept the security certificate to continue.
  3. Perform various commands on the test server.
  4. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  5. Select Check-In to complete the checkout process for the sessions request.

Test: Review a completed sessions request

  1. As Ralph, the Reviewer user.
  2. In the web client:
    1. Select Reviews on the left of the page to manage reviews.
    2. Select the request.
    3. Enter a comment.
    4. Click to mark the request as reviewed.
  3. In the desktop client:
    1. Open Reviews and review the request that is waiting for your review. 
    2. Select Workflow to view the transactions that took place as part of the request.

      1. Since Record Sessions is enabled in the policy, on the Initialize Session event, click Play to replay the session.
      2. Since Enable Command Detection is enabled in the policy, on the Initialize Session event, click the events link to view a list of the commands and programs run during the session.
    3. Select Review to complete the review process.
Documents connexes