Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

After joining Starling

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled:

Features using Starling Two-Factor Authentication:
  • Secondary authentication

    Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.

    A Starling 2FA authentication provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging into Safeguard for Privileged Passwords. For more information, see Configuring user for Starling Two-Factor Authentication when logging in to Safeguard.

  • Approval Anywhere

    IMPORTANT: The Cloud Assistant feature is designed to replace the Approval Anywhere feature which will be deprecated in a future Safeguard for Privileged Passwords release. Current Approval Anywhere users are encouraged to begin switching to Cloud Assistant as soon as possible.

    The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.

    Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere. For more information, see Adding authorized user for Approval Anywhere.

Feature using Starling Connect
  • Starling Connect Registered Connectors

    This feature integrates your Starling connectors with Safeguard for Privileged Passwords. This allows for the accounts stored in the connectors to be discovered and controlled by Safeguard for Privileged Passwords through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors

Feature using Starling Cloud Assistant
  • Cloud Assistant

    The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the Safeguard for Privileged Passwords web application.

    The Cloud Assistant feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration | Starling pane.

Starling as an identity provider

Once Safeguard for Privileged Passwords has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.

Using Starling as an identity provider

  1. Join Safeguard for Privileged Passwords with Starling. For more information, see Join Starling.

  2. Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.

  3. In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.

    To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication

    NOTE: You cannot use the Add OpenID Connect Application with Safeguard for Privileged Passwords.

  4. Finally, you will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.

    Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.

    IMPORTANT: You may need to restart the client in order for Starling to appear as an available identity provider.

Unjoin Starling

It is the responsibility of the Appliance Administrator to unjoin One Identity Safeguard for Privileged Passwords from Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

To unjoin Safeguard for Privileged Passwords from Starling

  1. Go to Starling:
    • web client: Navigate to External Integration | Starling.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Starling.
  2. Click Unjoin Starling.
  3. Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Approval Anywhere, two-factor authentication as a secondary authentication provider, Starling identity providers, and integrated connectors are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.

    IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.

Cloud Assistant

The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the Safeguard for Privileged Passwords web application.

The Cloud Assistant feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

Go to Cloud Assistant:

  • web client: Navigate to Security Policy Management | Cloud Assistant.

The Cloud Assistant pane displays the following about the users authorized to use the feature.

Table 216: Cloud Assistant: Properties
Setting Description

Name

Name of the Safeguard for Privileged Passwords user.

NOTE: This user must also be added as an approver in an access request policy.

Username

The username associated with the account.

Authentication Provider

The type of authentication provider.

Identity Provider

The name of the authentication provider for the account.

Domain Name

The name of the domain where the account it located.

Email Address

Valid email address for the authorized user.

Use these toolbar buttons to manage the users authorized to use Cloud Assistant.

Table 217: Cloud Assistant: Toolbar
Setting Description

Add

Add Safeguard for Privileged Passwords users who are authorized to use this feature to approve (or deny) access requests.

NOTE: These same users must also be added as approvers in an access request policy.

Remove

Remove the selected user as an authorized user.

Refresh

Update the list of users authorized to use Cloud Assistant.

Adding authorized user for Cloud Assistant

Once Safeguard for Privileged Passwords is joined to Starling, use the Cloud Assistant page to add the Safeguard for Privileged Passwords users that can use the Cloud Assistant feature to approve access requests.

To add users who are authorized to use Cloud Assistant

IMPORTANT: The user information configured in Safeguard for Privileged Passwords must match the user information in the Starling Cloud Assistant channel. If the user information does not match, you will need to remove the user from both Security Policy Management | Cloud Assistant and Starling Cloud Assistant's Recipients page, then re-add the user to Safeguard for Privileged Passwords using the correct user information.

  1. Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
  2. To go to Cloud Assistant:
    • web client: Security Policy Management | Cloud Assistant.
  3. Click Add.
  4. In the Users dialog, select users from the list and click OK.

  5. Add these Cloud Assistant users as approvers in the appropriate access request policy. For more information, see Creating an access request policy (desktop client).

Once a user is added as a Cloud Assistant user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's configured channel (this is configured via the Starling Cloud Assistant service). The approver can either approve or deny the access request directly from the channel.

NOTE: Revoking an access request that has already been approved is not available via the channel. You must use the Safeguard for Privileged Passwords web client to perform that action.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione