Once you add an account, you cannot modify an account's associated asset or its name, but you can modify other information.
To modify an account's information
Navigate to Administrative Tools | Accounts.
- To change the description, profile, or request settings, double-click the account from the object list, make the changes, then click OK.
- To view the selected account's password validation and reset history, switch to the Check and Change Log tab.
- To view or export the details of each operation that has affected the selected account, switch to the History tab. To export, select the time frame, then click Export.
- Right-click the account name for these options:
- Account Security: Menu options include:
- Check Password, Change Password, and Set Password. For more information, see Checking, changing, or setting an account password.
- Toggle Global Access: For more information, see Available for discovery across all partitions (Global Access).
- Check SSH Key, Change SSH Key, Set SSH Key: For more information, see Checking, changing, or setting an SSH key.
- Password Archive: Display the password history for the selected account. For more information, see Viewing password archive.
- SSH Key Archive: Display the SSH key history for the selected account. For more information, see Viewing SSH key archive.
- Discover SSH Keys: Run the SSH Key Discovery job associated with the account. For more information, see SSH Key Discovery job workflow.
- Access Requests: Allows you to enable or disable access request services for the selected account. Menu options include enable and disable password, session, and SSH key requests.
- Show Disabled: Display the accounts that are not managed and are disabled and have no associated assets. Account management can be controlled by right-clicking on an asset and selecting Enable-Disable.
- Hide Disabled: Hide the accounts that are not managed and are disabled and have no associated assets. Asset management can be controlled by right-clicking on an account and selecting Enable-Disable.
When you delete an account, Safeguard for Privileged Passwords does not delete it from its associated asset; it simply removes it from Safeguard for Privileged Passwords.
If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None, which disables automatic password and SSH key management for all accounts that are associated with this asset. All assets must have a service account in order to check and change the passwords or SSH keys for the accounts associated with it. For more information, see About service accounts.
To delete an account
- Navigate to Administrative Tools | Accounts.
- In Accounts, select an account from the object list.
- Click Delete Selected.
- Confirm your request.
When you add users to an account, you are specifying the users or user groups that have ownership of an account.
It is the responsibility of the Asset Administrator (or delegated partition owner) to add users and user groups to accounts. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions.
To add users to an account
- Navigate to Administrative Tools | Accounts.
- In Accounts, select an account from the object list and click the Owners tab.
- Click Add User or User Group from the details toolbar.
- Select one or more users or user groups from the list in the Users or User Groups dialog, and click OK.
If you do not see the user or user group you are looking for, depending on your Administrator permissions, you can create them in the Users or User Groups dialog. (You must have Authorizer Administrator or User Administrator permissions to create users or Security Policy Administrator permissions to create user groups.)
To create new users or user groups in the Users or User Groups dialog
- Click Create New, then select Create a New User or Create a New User Group.
For more information about creating users or user groups, see Adding a user or Adding a user group.
- Create additional users or user groups as required.
- Click OK to add the new users and user groups to the selected account.
Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar then click CSV Template Assistant for the dialog. For more information, see Creating an import file.
Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status.
To import objects
- In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
- Click Import from the toolbar.
- In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
- When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
- Click OK. Safeguard for Privileged Passwords imports the objects into its database.
Considerations for valid and invalid data
Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
- Assets PlatformDisplayName property:
- If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
- If it does not find a partial match, it supplies the Other platform type.
- Users TimeZoneId property: If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone. Do not enter numbers or abbreviations for the TimeZoneId.
- Users Password property: Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Managed account users cannot be members of the Protected Users AD Security Group.
Additional information specific to directory import follows.
Import the directory (and service account) via Administrative Tools | Assets | Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
- Import users and user groups.
- Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
- Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
- Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
- Password (modifiable in LDAP and not modifiable in Active Directory)
- Network Address
- Operating System
- Operating System Version
Identity and Authentication Providers schema list
- First Name
- Last Name
- Work Phone
- Mobile Phone
- External Federation Authentication
- Radius Authentication
- Managed Objects