Reports allows the Auditor and Security Policy Administrators to view and export entitlement reports that show which assets and accounts a selected user is authorized to access. Reports may be exported in .csv or .json format.
Safeguard for Privileged Passwords provides these entitlement reports.
- User: Lists information about the accounts a selected user is authorized to request.
- Asset: Lists information about the accounts associated with a selected asset and the users who have authorization to request those accounts.
- Account: Lists detailed information about the users who have authorization to request a selected account including: Entitlement, Policy, Access Type, Password Included, Password Change, Time Restrictions, Expiration Date, Group, From Linked Account, and Last Accessed.
To run an entitlement report
- As Auditor, select Reports from the Safeguard for Privileged Passwords desktop Home page.
- Choose to view entitlements by Asset.
- Browse to select all assets and click OK.
- In the top pane of the results screen, select an asset to see the details.
- View both the Total Accounts tab and the People tab.
- Select an item from the results to drill down into the details about the users and the accounts.
- Click Export to create a file of the search results in a location of your choice.
- Log out.
These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords discovery features:
Safeguard for Privileged Passwords allows you to set up Asset Discovery jobs to run automatically against the directory assets you have added to Safeguard for Privileged Passwords. For more information, see the Safeguard for Privileged Passwords Administration Guide, Asset Discovery section.
To create an Asset Discovery job using the Directory Method
- Log in as the Asset Administrator and navigate to Administrative Tools | Discovery | Asset Discovery tile.
- Click Add to create an Asset Discovery job.
- Provide information for the Asset Discovery job on the following tabs:
- Enter a name for the Asset Discovery job.
- For Partition, browse to select the partition.
- For Method, select Directory.
||In Directory, select the directory. |
Click Add to create an Asset Discovery rule:
- Enter a Name for the rule.
- For the Settings, click Add Condition to define criteria, including the search scope in the directory, then click OK.
- On the Asset Discovery Rule dialog, for Connection Template, leave the default of None.
- For Asset Profile, use the default partition profile to govern the discovered assets.
- Keep the Manged Network default value and click OK.
||You can skip adding the schedule to run the Asset Discovery job since we will run the discovery job manually for this exercise. |
||Review the discovery job and click Add Discovery.|
- In the Asset Discovery dialog, select the job and click Run Now. The Tasks pop-up shows the progress of the Asset Discovery job.
- When the Tasks pop-up indicates that the job is successful (Success), click the Asset Discovery Results tile.
- In the Asset Discovery Results grid:
- Select Last 24 Hours.
- Click Refresh to show the latest data.
- Double-click an Asset Discovery job to see the result of the discovery.
- Click on the number of # Assets Found to view individual discovered assets.
To control management of an asset:
- Navigate to Administrative Tools | Assets.
- Right-click the asset then click Access Requests.
- Choose Enable Session Request or Disable Session Request.
Note: When you ignore an asset, Safeguard for Privileged Passwords disables it and disables/hides all associated accounts. If you choose to Enable Session Request the asset later, Safeguard for Privileged Passwords reenables all the associated accounts.
- You can also search the Activity Center for information about discovery jobs that have run. This is the same information as presented in the the Asset Discovery Results grid.
- Click Home.
- Under I would like to see, click Edit and select Asset Discovery Activity.
- Under ... occurring within the ..., click Edit and select Last 24 Hours.
- Keep the default of All Activity in the Last 24 Hours.
- Click the Run button.
- In the results grid, double-click the job to more information then click Details to show the progress of the Asset Discovery job.
- The Asset Discovery events are listed in the Activity Category column.
- To view all activity in the last 24 hours, return to the Activity Center dialog.
- Under I would like to see, click Edit and select All Activity.
- Click the Run button.
- In the grid, User column, click the filter, and select your User name.
- To display additional columns, click Column in the upper right corner and select additional columns, such as Appliance, Asset, Object Name, and Object Type.
- Double-click any of the rows to view additional information.
Set asset connection authentication credentials to define a service account
When None is selected as the Authentication Type, the discovered assets will not have a service account. In the next steps you will change the Authentication Type.
These steps provide valid information only if:
- You have created a directory asset and directory accounts that will be used as the service account for the Windows asset discovered.
- You have Linux assets that are discovered that have QAS installed and are joined to the directory.
- In Assets, select one of the newly discovered assets.
- On the General tab, double-click the Connection information box or click the Edit icon next to it.
- Choose an Authentication Type of Directory Account and provide the service account credentials.
Note:Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage passwords for the accounts on that asset.
Safeguard for Privileged Passwords allows you to set up Account Discovery jobs to run automatically against the assets it manages in the scope of a partition.
To create an Account Discovery job
- Log in as the Asset Administrator and navigate to Administrative Tools | Discovery | Account Discovery tile.
- Click Add to create a new Account Discovery job.
- Browse to select a partition.
- Enter a Name for the setting, such as Daily. Description is optional.
- Select the Discovery Type that is the platform, for example, Windows, Unix, or Directory. Make sure the Discovery Type is valid for the assets associated with the Partition selected earlier on this dialog. If the Discovery Type is Directory, select the directory on which the Account Discovery job runs.
- Schedule the discovery job to run daily starting in about five minutes.
- In Rules, click Add to add a rule. Enter a Name, select Find All in Find By, and click OK.
Note: If you opt to experiment with finding accounts based on rules, note that all search terms return exact matches and are case-sensitive.
- Click OK to save the Account Discovery job.
- Wait for the Account Discovery job to run.
- After the Account Discovery job runs see the job results and the accounts discovered. At any time, click Refresh to update the information.
- Click the Account Discovery Results tile to see the results of the discovery job run.
- Click the Discovery Accounts tile to see the accounts that were discovered.
- You can also search the Activity Center for information about discovery jobs that have run. This is similar information as presented in the the Account Discovery Results grid.
- Under I would like to see, click Edit and select Password Management Activity.
- Click the Run button.
- In the Events column, the Account Discovery events display.