サポートと今すぐチャット
サポートとのチャット

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Appliance states

The following table lists the appliance states and what actions are available when the appliance is in a particular state.

Table 274: Appliance states
Appliance state and description Actions available

EnrollingReplica (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being added to a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the enroll operation.

Wait for operation to complete before logging in to appliance.

Initial Setup Required

A virtual appliance has been deployed but cannot be used until it is in the Online state.

The Appliance Administrator must run Initial Setup for the virtual appliance to move to the Online state. For more information, see Setting up the virtual appliance.

Initializing

A transitional state where the appliance is initializing to start, but is not yet available for access.

Wait for operation to complete before logging in to appliance.

Maintenance

Appliance is performing maintenance tasks and is not available for access.

Wait for maintenance tasks to complete before logging in to appliance.

LeavingCluster (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being unjoined from a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the unjoin operation.

Wait for operation to complete before logging in to appliance.

Offline

Appliance is not available for access.

Wait for appliance to come back online before logging in.

Offline Workflow

The appliance is not communicating with the cluster but has been either automatically or manually placed in Offline Workflow Mode to run access request workflow.

Enable Offline Workflow Mode. Once online operations are resumed, the appliance is returned to Maintenance mode. For more information, see About Offline Workflow Mode.

Online

The appliance is a primary and has consensus. Or the appliance is a replica and has both consensus and connectivity to the primary.

Log in to appliance.

In this state, access request workflow is available from all clustered appliances that are online and able to communicate.

PatchPending (only applies to replica appliances in a cluster)

Upon cluster patch, the primary appliance instructs all replicas to enter PatchPending state. The primary appliance then patches and upon completion, instructs the PatchPending replicas to install the patch one at a time.

You can log in to a replica with a PatchPending state.

You can initially perform access request workflow on a replica in PatchPending state; however, during the cluster upgrade, when the majority of the cluster members have upgraded, access request worklfow migrates from the PatchPending side of the cluster to the upgraded side of the cluster. During this time, access request workflow is unavailable on any appliance still in the PatchPending state.

PrimaryNoQuorum (only applies to the primary appliance in a cluster)

The primary appliance is in a Read-only mode while attempting to get the lease, but can't because the cluster does not have consensus. The appliance continues to attempt getting the lease and when it does, the appliance state goes back to Online.

If the appliance is powered on, you can log in to an appliance with a PrimaryNoQuorum state; however, it will be in a Read-only mode.

In this state, access request workflow is not available from the primary appliance, but may be available from other appliances in the cluster.

For example, if the primary cannot communicate with the rest of the nodes in the cluster, but the rest of the nodes can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from these replica appliances even though it is not available from the primary appliance.

Quarantine

Appliance is broken or in an unknown state.

Requires manual intervention to recover.

Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk).

ReplicaDisconnected (applies to replica appliances in a cluster)

A replica appliance is available for access; however, both of the following conditions apply:
    • The replica appliance cannot communicate with the primary appliance in the cluster.
    • The remaining nodes in the cluster that the replica appliance can communicate with do not have consensus.

You can log in to a replica with a ReplicaDisconnected state, but access request workflow is disabled.

If the replica appliance cannot communicate with the other nodes in the cluster, but the remaining nodes can communicate with each other, then access request workflow will be available from those appliances even though it is not available from the appliance that cannot communicate with them.

ReplicaNoQuorum (applies to replica appliances in a cluster)

A replica appliance can communicate with the primary appliance; however, the remaining nodes in the cluster do not reach consensus. Once the cluster regains consensus, the replica appliance will go into the Online state.

You can log in to a replica with a ReplicaNoQuorum state, but access request workflow is disabled.

In this state, access request workflow is not available from the primary appliance, but may be available from other replicas.

For example, in a cluster of five appliances, if the primary and a single replica cannot communicate with the remaining replicas in the cluster, but the other three replicas in the cluster can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from the replicas that are online and communicating even though it is not available from the primary and replica that cannot communicate.

ReplicaWithQuorum (applies to replica appliances in a cluster)

A replica appliance cannot communicate with the primary appliance; however, the remaining nodes in the cluster have reached consensus.

You can log in to a replica with a ReplicaWithQuorum state. In this state, access request workflow is available from any clustered appliance that is online and able to communicate. Passwords and SSH keys can be requested and checked in. Scheduled tasks will not occur until after the cluster patching is complete. Manual check and change is not available.

The policy may be configured such that a password or SSH key reset is required before the password or SSH key can be checked out again. If that is the case, the following can be temporarily configured prior to cluster patching and access request to allow for password or SSH key check out when a password or SSH key has not been reset.

  • The policy can be set to allow multiple accesses.
  • The policy can be set to not require a password or SSH key change at check in.
  • Emergency requests can be allowed so the user does not have to wait for the password or SSH key to be reset.

TransitioningToPrimary (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being promoted to be the new primary and is not available for access.

Wait for operation to complete before logging in to appliance.

TransitioningToReplica (only applies to the primary appliance in a cluster.)

A transitional state where a primary appliance is being demoted to a replica and is not available for access.

Wait for operation to complete before logging in to appliance.

ShuttingDown

A transitional state where an appliance is shutting down and is not available for access.

Wait for appliance to come back online before logging in.

StandaloneReadOnly

State used for replicas unjoined from a cluster or a primary appliance restored from a backup. The appliance can be activated.

Log in to appliance.

See Activating a read-only appliance for how to activate a Read-only appliance so you can add, delete and modify data, apply access request workflow, and so on.

Unknown

Appliance is broken or in an unknown state.

Requires manual intervention to recover.

Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk).

HardwareSecurityModuleError

The appliance can no longer access the configured Hardware Security Module for decryption. This state only occurs on startup or during the connection checks that run every 4 hours. During startup, any error to connect to the Hardware Security Module will cause the appliance to transition to this state. During a connection check, networking issues will not cause the appliance to transition to this state.

All Hardware Security Module related actions are available. This includes managing Hardware Security Module Client and Server certificates, updating the Hardware Security Module configuration, running cluster health checks, and running Hardware Security Module verifications.

The appliance will transition out of this state when a valid configuration exists that allows the appliance to decrypt, and either:

  • The next connection check runs (every 4 hours).

  • A Hardware Security Module verification is run, either through a cluster member health check, or through a refresh on the Hardware Security Module external integration menu.

Administrator permissions

To secure control of your IT department's assets (that is, managed systems), Safeguard for Privileged Passwords uses a role-based access control hierarchy. Safeguard for Privileged Passwords's various permission sets restrict the amount of control each type of user has.

NOTE: It is the responsibility of a user with Authorizer Administrator permissions to grant administrator permissions to other Safeguard for Privileged Passwords users; however, the User Administrator can grant Help Desk Administrator permissions to non-administrative users.

Administrator permissions include:

Appliance Administrator permissions

The Appliance Administrator is responsible for configuring and maintaining the appliance, including the following tasks:

  • Racks and stacks the appliance.
  • Configures the appliance.
  • (Optional) Sets up and uses the virtual appliance for initial setup, maintenance, backup, and recovery. For more information, see Using the virtual appliance and web management console.
  • Troubleshoots performance, hardware, and networking.
  • Creates and monitors the status of a clustered environment.
  • Manages licenses, certificates, backups, and sessions settings.
  • Enables and disables access request and password and SSH key management services.
Table 275: Appliance Administrator: Permissions
Navigation Permissions

Activity Center

View and export appliance activity events

Administrative Tools | Toolbox

Access to the Tasks pane.

Administrative Tools | Settings |Access Request

Enable or disable configuration for:

  • Access requests
  • Password and SSH key management services
  • Discovery of objects
  • Directory sync
  • Session module password access

Administrative Tools | Settings | Appliance

Perform appliance actions including:

  • Appliance diagnostics to execute a trusted, secure diagnostics package to help solve a configuration, synchronization, clustering, or other internal issues
  • Appliance information and control:
    • The status of the appliance, performance, and memory
    • Shut down or restart the appliance
  • Debug to specify the level of logging and the external syslog server for storing debug logs
  • Enable or disable services including the Application to Application functionality and the Audit Log Stream Service
  • Factory reset to recover from major problems or clear the data and configuration settings on the appliance and revert your appliance to its original state when it first came from the factory
  • Licensing to add or update the Safeguard for Privileged Passwords license
  • Enable or disable Lights Out Management (BMC)
  • Network diagnostics to run diagnostic tests on your appliance
  • Networking to view and configure the network interface and, if applicable, the sessions network interface
  • Operating system licensing for the virtual appliance
  • SSH Algorithms to manage account passwords and SSH keys.
  • Support bundle creation with system and configuration information to send to One Identity Support
  • Time to enable Network Time Protocol and set the primary and secondary NTP server
  • Updates to install update files (patches)

Administrative Tools | Settings | Backup and Retention

Perform backup and retention actions including:

  • Archive server addition and management for backing up files and session recordings
  • Audit log management to define and schedule the audit logs to be synchronized, archived and purged
  • Backup and restore to initiate, schedule backups, upload and download backup files, and specify the archive server
  • Backup retention and set the number of backup files to store

Administrative Tools | Settings | Certificates

Manage the certificates used including:

  • Audit log signing certificate
  • Certificate signing request
  • Hardware Security Module Certificates
  • SSL certificates
  • Trusted certificates

Administrative Tools | Settings | Cluster

Perform cluster activities including:

  • Cluster management and health monitoring
  • Managed networks definition for load distribution
  • Offline workflow to trigger if an appliance has lost consensus to resume offline workflow
  • Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable

Administrative Tools | Settings | External Integration

Perform external integration activities including:

  • Application to Application (A2) configuration for application registrations
  • Approval Anywhere service for access request approvals.
  • Email to send event notifications
  • Identity providers and authentication providers to use when logging in
  • Hardware Security Module configuration
  • SNMP configuration to send SNMP traps to the SNMP console
  • Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA).
  • Syslog define a syslog server configuration to use to send event notifications
  • Syslog Event to send event notifications (web client)
  • Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system
  • Trusted Servers, CORS, and redirects configuration to restrict login redirects and Cross Origin Resource Sharing (CORS) requests

Administrative Tools | Settings | Messaging

Perform messaging activities including:

  • Login notification configuration
  • Message of the day creation

Administrative Tools | Settings | Safeguard Access

Perform access activities including:

  • Login control configuration for user login settings
  • Password rules configuration including complexity rules
  • (View only) Time zone

Administrative Tools | Settings | Sessions

If a Sessions appliance is linked, view, remove, or modify the configuration.

Asset Administrator permissions

An Asset Administrator manages all partitions, assets, and accounts:

  • Creates (or imports) assets and accounts.
  • Creates partitions and profiles.
  • Delegates partition ownership to users. A delegated partition owner has a subset of permissions that an Asset Administrator has. That is, the delegated partition owner is authorized to manage a specific partition and the assets and accounts assigned to that partition.

  • Assigns assets to partitions.
  • Manages account password rules.

  • Manages ownership for assets, accounts, and partitions.

NOTE: Asset Administrators can only view the user object history for their own account.

Table 276: Asset Administrator: Permissions
Navigation Permissions

Dashboard | Account Automation

Full control for accounts related to all Safeguard for Privileged Passwords assets.

NOTE: Delegated partition owners have control for accounts related to the assets managed through delegated profile.

Activity Center

View and export asset activity events.

Administrative Tools | Toolbox

The Toolbox provides:

  • Access to the Accounts, Assets, Partitions and Users view.
  • Access to the Tasks pane.

Administrative Tools | Accounts

Perform account activities including:

  • Add, modify, delete, and import accounts, including cloud platform accounts.
  • Add a tag to an account.
  • Add an account to an account group.
  • Check, change, and set account passwords and SSH keys.
  • View password and SSH key archive.

Administrative Tools | Assets

Perform account activities including:

  • Add, modify, delete, and import assets.
  • Check asset connectivity.
  • Assign an asset to a partition.
  • Assign a profile to an asset.
  • Add a tag to an asset.
  • Add an account to an asset.
  • Add account dependencies.
  • Add an asset to an asset group.
  • Download a public SSH key.

Administrative Tools | Discovery

Create and run discovery jobs to find assets, accounts, services, and SSH keys in your network environment.

Administrative Tools | Partitions

Perform partition activities including:

  • Add, modify, and delete partitions and password and SSH key profiles.
  • Add assets or accounts to the profiles.
  • Set a default profile.
  • Add and remove partition assets.

Administrative Tools | Settings | Asset Management

Perform asset management actions including:

  • Custom platform creation and deployment that includes uploading the custom platform script.
  • Tag creation to manage dynamic tags for assets and asset accounts.

Administrative Tools | Settings | Messaging

Perform messaging actions including:

  • Login notification (view only).
  • Message of the day creation.

Administrative Tools | Settings | Password Management

Perform password management actions including:

  • Account password complexity rule control (add, modify, delete).
  • Change password settings control (add, modify, delete).
  • Check password settings control (add, modify, delete).
  • Password sync groups settings control (add, modify, delete).
Administrative Tools | Settings | SSH Key Management

Perform SSH key management actions including:

  • Change SSH key settings control (add, modify, delete).
  • Check SSH key settings control (add, modify, delete).
  • Discover SSH keys to find authorized SSH keys in managed accounts.
  • SSH key sync groups settings control (add, modify, delete).

Administrative Tools | Users

Delegate partition ownership to users.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択