The Operations Administrator view access to the information available to the Appliance Administrator. The Operations Administrator also can take backups, reboot the appliance, and monitors the status of the appliance.
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.
Table 205: Operations Administrator: Permissions
Activity Center |
View and export appliance activity events. |
Administrative Tools | Toolbox |
Access to the Tasks pane. |
Administrative Tools | Settings: |
|
- Access Request | Enable or Disable Services
|
View only. |
|
Monitor the status of the appliance.
Shutdown or restart the appliance.
Generate a support bundle to assist technical support.
View licensing information.
View Networking settings.
Edit operating system license.
View Time settings. |
|
In a future release, only take a backup. It may appear the Operations Admin can edit data, but the change cannot be saved.
- Archive server
- Audit log management
- Backup and restore (only take a backup)
- Backup retention
|
|
View only. |
|
View only. Monitor the status of the clustered environment. |
|
View only. For Identity and Authentication, the grid displays but the details are not available. |
|
Login notification: View only.
Set message of the day. |
|
View only. |
The Security Policy Administrator configures the security policies that govern the access rights to accounts and assets, including the requirements for checking out passwords, such as the maximum duration, if password reasons are required, if emergency access is allowed, and so on. This user may not know any details about the assets.
This user configures time restrictions for entitlements and who can request, approve and review access requests.
- Creates account groups, asset groups, and user groups.
- Creates entitlements.
- Configures access request policies.
- Adds users or user groups to entitlements to authorize those accounts to request passwords.
- Can assign linked accounts to users for entitlement access policy governance.
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
Table 206: Security Policy Administrator: Permissions
Dashboard | Access Requests |
Full control to manage access requests. |
Activity Center |
View and export security-related activity events, including access request events.
Audit access request workflow. |
Reports |
View and export entitlement reports. |
Administrative Tools | Toolbox |
Access to the Account Groups, Asset Groups, Entitlements, Users, and User Groups view.
Access to the Tasks pane. |
Administrative Tools | Account Groups |
Add, modify, or delete account groups.
Add accounts to account groups.
Assign policies to account groups. |
Administrative Tools | Asset Groups |
Add, modify, or delete asset groups.
Add assets to asset groups.
Assign policies to asset groups. |
Administrative Tools | Entitlements |
Add, modify, or delete entitlements.
Add users or user groups to entitlements.
Define and maintain access request policies.
Assign policies to entitlements. |
Administrative Tools | Settings: |
|
|
Add, modify, or delete reason codes. |
- Cluster | Session Appliances
|
If Safeguard for Privileged Passwords (SPP) is joined to Safeguard for Privileged Sessions (SPS), view the appliance information for the join. |
- External Integration | Application to Application
|
Add, modify, or delete application registrations. |
- External Integration | Approval Anywhere
|
Configure Approval Anywhere service for access request approvals. |
- External Integration | Starling
|
If Safeguard for Privileged Passwords is joined to Starling, view the Starling join information. |
- External Integration | Ticket Systems
|
If Safeguard for Privileged Passwords is configured to use tickets (generic tickets or with an external ticketing system), view the ticket information. |
- Messaging | Message of the Day
|
Login notification: View only.
Set message of the day. |
Administrative Tools | Users |
Add users to user groups. Add users to entitlements. Link directory accounts to a user. View and export the history of users. |
Administrative Tools | User Groups |
Add, modify, or delete local user groups.
Add local or directory users to user groups.
Assign entitlements to user groups. |
The User Administrator:
- Creates (or imports) Safeguard for Privileged Passwords users.
- Grants Help Desk Administrator permissions to users.
- Sets passwords, unlocks users, and enables or disables non-administrator user accounts.
- Also has Help Desk Administrator permissions.
NOTE: User Administrators cannot modify administrator passwords, including their own.
Important: User Administrators can change the permissions for their own account, which may affect their ability to grant Help Desk Administrator permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Table 207: User Administrator: Permissions
Activity Center |
View and export user activity events. |
Administrative Tools | Toolbox |
Access to the Users and User Groups view.
Access to Tasks pane. |
Administrative Tools | Settings: |
|
- External Integration | Identity and Authentication
|
View only. |
- Messaging | Message of the Day
|
Login notification: View only. Set message of the day. |
- Safeguard Access | Login Control
|
View only. |
- Safeguard Access | Password Rules
|
View only. |
- Safeguard Access | Time Zone
|
View only. |
Administrative Tools | Users |
Add, modify, delete or import local and directory users.
Set passwords and unlock accounts for non-administrator users. A Help Desk Administrator can unlock another Help Desk user but cannot set that user's passwrod.
Enable or disable non-administrative users.
Set Help Desk Administrator permissions. |
Administrative Tools | User Groups |
Add or delete directory groups, if a directory has been added to Safeguard for Privileged Passwords. |
Before you add systems to Safeguard for Privileged Passwords (Adding an asset), you must ensure they are properly configured.
Generally, to prepare an asset for Safeguard for Privileged Passwords:
-
Create a functional account (called a "service" account in Safeguard for Privileged Passwords) on the asset and assign it a password.
- Grant the service account sufficient permissions.
- Test the service account connectivity.
- Configure the security protocol.
-
For platforms that support SSL server certificate validation, add the server’s signing authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords. For more information, see Trusted Certificates.
The following topics can help you prepare your hosts for management by Safeguard for Privileged Passwords:
Safeguard for Privileged Passwords supports a variety of platforms. For more information, see Supported platforms.