Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Auditor permissions

The Auditor administrator has read-only access to all features, and has the ability to review all access request activity:

  • Monitor appliance information
  • Review everything
  • Export object history
  • Run entitlement reports

There are two additional permission types available once the Auditor role is selected that will help provide limited auditor permissions should you prefer not to use the all-encompassing Auditor role (which incorporates both permission types):

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

Table 277: Auditor administrator: Permissions
Navigation Permissions

Dashboard

(View only) Access request and account automation

Activity Center

View and export activity events

Audit access request workflow

Reports

View and export reports

Administrative Tools | Toolbox

(View only) Access to all Administrative Tools views and the Tasks pane

Administrative Tools | Accounts

View only

Administrative Tools | Account Groups

View only

Administrative Tools | Assets

View only

Administrative Tools | Asset Groups

View only

Administrative Tools | Discovery

View only

Administrative Tools | Entitlements

View only

Administrative Tools | Partitions

View only

Administrative Tools | Settings:

 
  • Access Request
View only
  • Appliance

View only

  • Asset Management

View only

  • Backup and Retention
View only
  • Certificates
View only
  • Cluster
View only
  • External Integration
View only
  • Messaging

Login notification: View only.

Set message of the day.

  • Password Management

View only

  • Safeguard Access
View only
  • SSH Key Management

View only

Administrative Tools | Users

View only

Administrative Tools | User Groups

View only

Application Auditor

Application Auditor provides read-only access to features related to the functionality of Safeguard. The Application Auditor permissions correspond with the following roles, however only read-access is allowed:

  • Security Policy

  • Asset

System Auditor

System Auditor provides read-only access to features related to the operation of Safeguard. The System Auditor permissions correspond with the following roles, however only read-access is allowed:

  • Appliance

  • Operations

  • Help Desk

  • User

  • Global

Authorizer Administrator permissions

The Authorizer Administrator is the permissions administrator and performs the following:

  • Creates (or imports) Safeguard for Privileged Passwords users.
  • Grants administrator permissions to users.
  • Sets passwords, unlocks, and enables or disables both local and directory user accounts.
  • Creates and maintains the Local Password Rule.

The Authorizer Administrator also has User Administrator and Help Desk Administrator permissions.

IMPORTANT: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.

Table 278: Authorizer Administrator: Permissions
Navigation Permissions

Activity Center

View and export user activity events, including authentication events.

Administrative Tools | Toolbox

Access to the Users and User Groups view.

Access to Tasks pane.

Administrative Tools | Settings

 
  • External Integration | Identity and Authentication

Add, update, and delete directories used for identity and authentication.

External Federation and Radius providers can be configured for authentication use.

  • Messaging

Login notification (view only).

Set message of the day.

  • Safeguard Access

Perform access activities including:

  • (View only) Login control configuration for user login settings.
  • Password rules configuration including complexity rules.
  • (View only) Time zone.

Administrative Tools | Users

Perform user actions including:

  • Add, modify, delete, or import local and directory users.
  • Set administrator permissions.

  • Set passwords and unlock users.

  • Enable or disable users.

Administration Tools | User Groups

Add or delete directory groups, if a directory has been added.

Help Desk Administrator permissions

A Help Desk Administrator:

  • Sets passwords for non-administrative user accounts.
  • Unlocks accounts for all user accounts.

NOTE: Help Desk Administrators can only view the user object history for their own account.

Table 279: Help Desk Administrator: Permissions
Navigation Permissions
Activity Center View and export user activity events.

Administrative Tools | Toolbox

Access to the Users view and the Tasks pane.

Administrative Tools | Settings

 
  • Messaging

View only: Login notification.

Set message of the day.

  • Safeguard Access

View only: Login control, password rules, and time zone.

Administrative Tools | Users

Set passwords and unlock accounts for non-administrator users.

A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password.

Operations Administrator permissions

The Operations Administrator monitors the status of the appliance and can reboot the appliance.

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.

Table 280: Operations Administrator: Permissions
Navigation Permissions

Activity Center

View and export appliance activity events.

Administrative Tools | Toolbox Access to the Tasks pane.

Administrative Tools | Settings | Access Request

(View only) Enable or disable configurations for:

  • Access requests
  • Password and SSH key management services
  • Discovery of objects
  • Directory sync
  • Session module password access

Administrative Tools | Settings | Appliance

Appliance actions including:

  • Appliance information and control:
    • The status of the appliance, performance, and memory.
    • Shut down or restart the appliance.
  • (View only) Enable or disable services including the Application to Application functionality and the Audit Log Stream Service.
  • (View only) Licensing to add or update the Safeguard for Privileged Passwords license.
  • Enable or disable Lights Out Management (BMC).
  • Network diagnostics to run diagnostic tests on your appliance.
  • (View only) Networking to view and configure the network interface and, if applicable, the sessions network interface.
  • (View only) Operating system licensing for the virtual appliance.
  • (View only) Time to enable Network Time Protocol and set the primary and secondary NTP server.

Administrative Tools | Settings | Backup and Retention

View only, except an Operations Administrator can take a backup. As mentioned earlier, it may appear the Operations Admin can edit data, but the operation cannot be saved.

  • Archive server
  • Audit log management
  • Backup and restore (can take a backup)
  • Backup retention

Administrative Tools | Settings | Certificates

View only:

  • Audit log signing certificate
  • Certificate signing request
  • SSL certificates
  • Trusted certificates

Administrative Tools | Settings | Cluster

View only:

  • Cluster management and health monitoring.
  • Managed networks definition for load distribution.
  • Offline workflow to trigger if an appliance has lost consensus to resume offline workflow.
  • Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable.

Administrative Tools | Settings | External Integration

View only:

  • Application to Application (A2A) configuration for application registrations.
  • Approval Anywhere service for access request approvals.
  • Email to send event notifications.
  • Identity providers and authentication providers to use when logging in; can view the grid but not details.
  • SNMP configuration to send SNMP traps to the SNMP console.
  • Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA).
  • Syslog server configuration to send event notifications.
  • Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system.

Administrative Tools | Settings | Messaging

Perform messaging activities including:

  • (View only) Login notification configuration.
  • Message of the day creation.

Administrative Tools | Safeguard Access

View only:

  • Login control configuration for user login settings.
  • Password rules configuration including complexity rules.
  • Time zone to set the time zone.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione