Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding a custom platform

It is the responsibility of the Asset Administrator to configure the rules so Safeguard for Privileged Passwords handles custom platforms. The custom platform script must be available for uploading. For more information, see Creating a custom platform script..

To add a custom platform

  1. Have the custom platform script file available to upload.
  2. Navigate to:
    • web client: Asset Management > Connect and Platforms > Custom Platforms.
  3. Click  Add.
  4. These fields display:
    1. Name: Enter the unique name of the platform type, which may be a product name.
    2. Platform Script: Click Browse. Navigate to and select the script file. Click Open. The selected custom platform script file displays.

    3. Select the Allow Sessions Requests check box to allow session access requests. This check box is typically selected for SSH. Clear the Allow Sessions check box to prohibit session access requests.
  5. Click OK. If the custom platform script has errors, an error message like the following displays: Definition was not a valid json object .

Importing objects

Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click  Import from the toolbar then click Download Template. The hard limit on file size 100 MiB. For more information, see Creating an import file.

To import Assets and Users

  1. Navigate to Assets or Users based on what data you are importing.

  2. Click Import from the toolbar.

  3. In the Import dialog, click Import to select an existing .csv file containing a list of objects to import.

  4. Click OK. Safeguard for Privileged Passwords imports the objects into its database. The dialog will update as the import progresses and will alert you should any errors be found.

To import Accounts

  1. Navigate to Accounts.

  2. Click  Import from the toolbar.

    When importing accounts, you can import accounts, passwords and SSH keys separately. In this case, the Import button works as a drop-down. First, you need to import accounts. Select Import Accounts.

    Then, depending on what data you want to import, select Import Passwords or Import SSH Keys.

  3. In the Import dialog, click Import to select an existing .csv file containing a list of objects to import.

  4. Click OK. Safeguard for Privileged Passwords imports the objects into its database. The dialog will update as the import progresses and will alert you should any errors be found.

When importing Starling User accounts from Microsoft Azure Active Directory (AAD), there are some expected differences.

For Starling type Identity Provider required fields are:

  • Name: This must have an entry of the user UserPrincipalName. Any other entry will be overwritten.

  • PrimaryAuthenticationProvider/Name: This will be the Starling provider name.

  • PrimaryAuthenticationProvider/Identity: This is the AAD user Id.

  • IdentityProvider/Name: This tells the import what type of user to import.

The following fields will be populated from the AAD user properties. An entry for these fields in the CSV import file will be overwritten by the information from AAD.

  • FirstName

  • LastName

  • EmailAddress

  • MobilePhone

  • WorkPhone

For more information about asset creation, see Adding an asset.

Creating an import file

When importing objects, such as accounts, assets, or users, Safeguard for Privileged Passwords expects the import file to be a Comma Separated Values (CSV) file.

A CSV file is a text file used to store database entries where each line is a unique record and each record consists of fields of data separated by commas. You must not add any trailing spaces in the properties you define in the CSV file. The easiest way to create a CSV file is by using a spreadsheet program such as Microsoft Excel; however, you can use any text editor, such as Notepad, to create a comma-delineated file, as long as you save the file with a .csv file type extension.

The order of the columns is not important, but the title of the column must match the property name.

To create a customized .csv file template

  1. In the Import dialog, click Download Template to save a copy of the template properties table to a location of your choice.

  2. Locate the downloaded template and add your specific information to the template.

  3. Use the customized .csv file to import the objects.

    For more information on columns, see Template CSV file.

Template CSV file

Clicking Download Template will download a template file in which the columns will match the export column names. The following is a list of columns in each template.

Asset template

The Asset template CSV contains the following columns:

  • Name: A string containing the display name for this asset.

  • PlatformDisplayName: A string containing the name of the Platform for this asset.

  • Description: A string containing a description for this asset.

  • AssetPartitionName: A string containing the name of the Partition for this asset.

  • NetworkAddress: A string containing the network address for this asset.

  • ConnectionProperties/Port: An integer containing the port for this asset.

  • ConnectionProperties/ServiceAccountDomainName: A string containing the service account domain name if it has one.

  • ConnectionProperties/ServiceAccountName: A string containing the service account name.

  • ConnectionProperties/ServiceAccountPassword: A string containing the password to use for the service account.

  • ConnectionProperties/ServiceAccountCredentialType: A string specifying the type of credential to use to authenticate to the asset.

    The possible values are None, Password, SshKey, DirectoryPassword, LocalHostPassword, AccessKey, AccountPassword, Custom, Starling.

  • ConnectionProperties/AccessKeyId: A string containing an access key ID for AWS password management.

  • ConnectionProperties/SecretKey: A string containing a secret key for AWS password management.

  • ConnectionProperties/ServiceAccountDistinguishedName: A string containing the LDAP distinguished name of a service account. This is used for creating LDAP directories.

  • ConnectionProperties/UseSslEncryption: Do not use SSL encryption for LDAP directory, valid values are true, false, or leave it empty.

  • ConnectionProperties/VerifySslCertificate: Do not verify Server SSL certificate of LDAP directory, valid values are true, false, or leave it empty.

  • ConnectionProperties/PrivilegeElevationCommand: A string containing the privilege elevation command, ex. sudo.

  • ConnectionProperties/ServiceAccountSshKey/PrivateKey: A string containing the service accounts private key.

  • ConnectionProperties/ServiceAccountSshKey/Passphrase: A string containing the passphrase to access the service account private key, blank if not needed.

  • SshHostKey/SshHostKey: A string specifying the SSH host key for this asset.

AssetAccount template

The AssetAccount template CSV contains the following columns:

  • Name: A string containing the name for the account.

  • Description: A string containing the description for the account.

  • DomainName: A string containing the domain name for the account.

  • DistinguishedName: A string containing the distinguished name for the account.

  • Asset/Name: A string containing the asset that contains this account.

AssetAccountPassword template

The AssetAccountPassword template CSV contains the following columns:

  • Name: A string containing the name of the account to set the password on.

  • Asset/Name: A string containing the name of the asset that contains this account.

  • Asset/AssetPartitionName: A string containing the name of the partition of the asset that contains this account.

  • Password: A string containing the password to set on this accout.

AssetAccountSshKey template

The AssetAccountSshKey template CSV contains the following columns:

  • Name: A string containing the name of the account to set the SSH key on.

  • Asset/Name: A string containing the name of the asset that contains this account.

  • Asset/AssetPartitionName: A string containing the name of the partition of the asset that contains this account.

  • PrivateKey: A string containing the Private Key.

  • Passphrase: A string containing the passphrase to access the Private Key, blank if not needed.

  • Comment: A string containing the SSH Key comment.

User template

The User template CSV contains the following columns:

  • Name: A string containing the username to give to the new user.

    NOTE: Names must be unique per identity provider.

  • FirstName: A string containing the first name of the user.

  • LastName: A string containing the last name of the user.

  • Description: A string containing the description of the user.

  • EmailAddress: A string containing the email address of the user.

  • WorkPhone: A string containing the work phone number of the user.

  • MobilePhone: A string containing the mobile phone number of the user.

  • AdminRoles: A string containing the permissions (admin roles) to assign to the user.

    Use the following format: "[""permission"",""permission"",""permission""]"

    The valid values are GlobalAdmin, ApplicationAuditor, SystemAuditor, Auditor, AssetAdmin, ApplianceAdmin, PolicyAdmin, UserAdmin, HelpdeskAdmin, OperationsAdmin.

  • DirectoryProperties/DomainName: A string containing the DNS name of the domain this user is in.

  • PrimaryAuthenticationProvider/Name: A string containing the name of the authentication provider.

  • PrimaryAuthenticationProvider/Identity: A string containing the identity of the user to authenticate with.

  • Password: A string containing the password.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione