Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

About profiles

The profile includes the schedules and rules governing the partition’s assigned assets and the assets' accounts. For example, the profile defines how often a password check is required on an asset or account.

A partition can have multiple profiles, each assigned to different assets, if desired. An account is governed by only one profile. If an account is not explicitly assigned to a profile, the account is governed by the one assigned to the parent asset. If that asset does not have an assigned profile, the partition's default profile is assigned. When updating or restarting a service on a password change, the profile assigned to the asset is used for dependent account service modifications.

When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. You can create multiple profiles to govern the accounts assigned to a partition. Both assets and accounts are assigned to the scope of a profile.

For example, suppose you have an asset with 12 accounts and you configure the profile to check and change passwords every 60 days. If you want the password managed for one of those accounts every seven days, you can create another profile and add the individual account to the new profile. Now, Safeguard for Privileged Passwords will check and change all the passwords on this asset every 60 days except for this account, which will change every seven days.

Implicit and explicit association

It is important to understand the difference between implicit and explicit assignments to a profile.

Implicit associations

Safeguard for Privileged Passwords makes implicit assignments. For example, when you add an asset to Safeguard for Privileged Passwords, it automatically adds the asset to the default partition and assigns it to the scope of the default profile. This is called implicit association. Assets implicitly inherit the partition's default profile. Similarly, accounts inherit their parent asset’s profile. That means when you add an account to an asset, Safeguard for Privileged Passwords implicitly adds that account to its asset’s profile.

Later, if you reassign the asset to another profile, Safeguard for Privileged Passwords automatically reassigns all of the asset’s associated accounts to the new profile.

Explicit associations

Safeguard for Privileged Passwords allows you to explicitly add an asset or an account to a specific profile. When you explicitly assign an asset to a profile, it overrides the implicit inheritance from the partition so the asset's profile is no longer determined by its partition. Similarly, when you explicitly assign an account to a profile, Safeguard for Privileged Passwords overrides the implicit inheritance from the asset and the account’s profile is no longer determined by its asset.

Now, if you reassign the asset to another profile, Safeguard for Privileged Passwords will not reassign the asset’s associated accounts that were explicitly assigned to the old profile.

Resetting the default profile

If you set another profile as the default, Safeguard for Privileged Passwords implicitly reassigns all assets and their associated accounts to that new default, but it will not reassign any assets or accounts that you have explicitly assigned to a profile. Once the implicit inheritance is broken, changing a partition's default profile has no effect on the scope of a profile. For more information, see Setting a default profile.

Related Topics

Assigning assets or accounts to a password profile and SSH key profile

Assigning a profile to an asset

Password Profiles

SSH Key Profiles

How do I manage accounts on unsupported platforms

Properties tab (partitions)

The Properties tab lists information about the selected partition.

To access Properties:

  • web client: Navigate to Asset Management > Partitions > (View Details) > Properties.

Table 107: Partitions Properties tab: General properties
Property Description
Name

The partition name.

Description

Information about the selected partition.

Delete: Click this button to delete the selected partition.

Assets tab (partitions)

The Assets tab displays the assets assigned to the selected partition.

Click Add Asset from the details toolbar to add one or more assets to the selected partition.

To access Assets:

  • web client: Navigate to Asset Management > Partitions > (View Details) > Assets.
Table 108: Partitions: Assets tab properties
Property Description
Name

The asset name.

Password Profile The name of the profile that manages the asset.

SSH Key Profile

The name of the SSH key profile.

Account Discovery Job

The Account Discovery job assigned to discover accounts on this asset that meet the rules criteria. Each asset in a partition can have a separate and unique Account Discovery job.

Asset Discovery Job

The Asset Discovery job assigned to discover assets by searching directory assets, such as Active Directory, or by scanning network IP ranges in the partition that meet the rules criteria. An asset can be read-access available for Asset Discovery jobs beyond partition boundaries. For more information, see Management tab (add asset).

Platform

The platform of the selected asset.

Session Request A check in this column indicates that session access requests are enabled for the asset.
Disabled

A check in this column indicates the asset is disabled.

Product License

If applicable (for example, for a Windows asset), indicates your license model, such as System or Desktop.

Connection Type

The connection authentication type for the asset, such as Password, SSH Key, Directory Account, Local System Account, and so on. For more information, see Connection tab (add asset).

Description

Descriptive information entered when the asset was added.

Use these buttons on the details toolbar to manage the assets assigned to the selected partition.

Table 109: Partitions: Assets tab toolbar
Option Description

Add Asset

Add one or more assets to the selected partition.

Delete

Remove the selected asset from the partition.

View Details

Edit the selected asset.

Access Request

Select Enable Session Request to allow session requests for the selected asset. Select Disable Session Request to disallow session requests for the selected asset.

SSH Host Key This option allows you to manually add the host key to an asset in cases where Safeguard for Privileged Passwords cannot discover the asset automatically (such as for an Other Directory asset).

Test Connection

Select to verify that Safeguard for Privileged Passwords can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity.

Syncronize Now

Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.

  • Discover Accounts
  • Run the Account Discovery job.
  • Enable-Disable

    Select one of the following:

    Select Enable to have Safeguard for Privileged Passwords manage a disabled partition.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected partition.

    Show Disabled

    Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and clicking Enable-Disable.

    Hide Disabled

    Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and clicking Enable-Disable.

    Export

    Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

    Refresh

    Retrieve and display an updated list of assets associated with the selected partition.

    Search

    To locate a specific asset in this list, enter the character string to be used to search for a match. For more information, see Search box.

    Related Topics

    Adding assets to a partition

    Removing assets from a partition

    Accounts tab (partitions)

    The Accounts tab displays the accounts assigned to the selected partition.

    NOTE: By default, all accounts associated with an asset are assigned to the same profile, but you can reassign them. For more information, see Creating a password profile.

    To access Accounts:

    • web client: Navigate to Asset Management > Partitions > (View Details) > Accounts.
    Table 110: Partitions: Accounts tab properties
    Property Description
    Name

    The account name.

    Domain Name

    The domain name of the account if the account is an Active Directory account. Used to help determine uniqueness.

    Parent The partition in which the asset where the account resides.
    Password Profile The name of the profile that manages the account.

    SSH Key Profile

    The name of the SSH key profile that governs the accounts assigned to a partition.

    Service Account A check in this column indicates that the account is a service account.
    Password Request A check in this column indicates that password release requests are enabled for the account.
    Session Request A check in this column indicates that session access requests are enabled for the account.

    SSH Key Request

    A check in this column indicates that SSH key release requests are enabled for the account.

    Disabled

    A check in this column indicates the account is disabled.

    Password A check in this column indicates a password is set for the account. For more information, see Checking, changing, or setting an account password.

    SSH Key

    A check in this column indicates an SSH key is set for the account. For more information, see Checking, changing, or setting an SSH key.

    Description

    Descriptive information entered when the account was added.

    Tags

    The tags associated with the account.

    Use these buttons on the details toolbar to manage the accounts assigned to the selected partition.

    Table 111: Partitions: Accounts tab toolbar
    Option Description
    New Account

    Add accounts to the selected partition. For more information, see Adding an account to a partition.

    Delete

    Remove the selected account from the partition.

    View Details

    View additional information on the selected account.

    Account Security

    Menu options include:

    • Password Archive

    • SSH Key Archive

    Access Request

    Select an option to enable or disable access request services for the selected partition. Values are derived from whether the platform of the asset indicates it supports any of the following: Password Request, SSH Key Request, Session Request. You can enable or disable Password Request, Session Request, and SSH Key Request, as needed.

    Service Accounts are created when the Asset is created and by default are not enabled for session or password access.

    Discovered Accounts are controlled by the Account Discovery template that is used in discovering the accounts. They are a property of the rule template of the Account Discovery job. For more information, see Adding an Account Discovery rule.

  • Discover SSH Keys
  • Run the SSH Key Discovery job associated with the account.
  • Enable-Disable

    Select Enable to have Safeguard for Privileged Passwords manage a disabled partition.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected partition.

    Export

    Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

    Refresh

    Update the list of asset accounts.

    Search

    To locate a specific asset account or set of accounts in this list, enter the character string to be used to search for a match. For more information, see Search box.

    Documents connexes

    The document was helpful.

    Sélectionner une évaluation

    I easily found the information I needed.

    Sélectionner une évaluation