サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

File release request workflow

One Identity Safeguard for Privileged Passwords provides secure control of managed accounts by storing account files until they are needed, and releases them only to authorized persons.

Typically, a file release request follows this workflow.

  1. Request: Users that are designated as an authorized user of an entitlement can request files for any account in the scope of that entitlement's policies.

  2. Approve: Depending on how the Security Policy Administrator configured the policy, a file release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account files, provides accountability, and provides dual control over the system accounts.

  3. Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed file release requests for accounts in the scope of the policy.

Requesting a file release

If you are designated as an authorized user of an entitlement, you can request a file for any account in the scope of the entitlement's policies.

To request a file release

  1. Click (Home), then (New Request), or open (My Requests), then click (New Request).

    NOTE: You can also submit an access request from your Favorites pane, if you previously saved it as a favorite.

  1. On the New Access Request page, select the accounts to be included in the access request and the type of access being requested for each selected account.

    You can search for accounts based on asset information. The assets available for selection are based on the scope defined in the entitlement's access request policies.

  2. To select the columns to display, click the (Columns) button.

    NOTE: You can remove an asset or account from the list by clearing the check box associated with an entry in the grid.

    • Asset: The display name of the managed system.

    • Account: The available account appears in the Account column. When an asset has multiple accounts available, either Select Account(s) or the account name appears as a hyperlink in the Account column. Click the hyperlink in the Account column to display a list of accounts available and select the accounts to be included in the access request.

    • Access Type: The type of access request appears in the Access Type column. If the type is a drop-down, to list all available access request types, click the drop-down. Click the drop-down and select the File access type.

    • Account Description: (When applicable) The description of the account.

    • Asset Description: (When applicable) The description of the asset.

  3. Click Next.

  4. On Request Details, configure the following settings, which will apply to all of the selected assets and accounts:

    1. When: Select one of the following options:

      • Now: If selected, the request is immediately created.

      • Later: If selected, fields will appear allowing you to enter a specific date and time for the request in the user's local time.

    2. How Long: Based on the policy, do one of the following:

      • View the Checkout Duration.

      • If the Allow Requester to Change Duration option is enabled in the policy, you can set the days, hours, and minutes that you want to use the password. This overrides the Checkout Duration set in the access request policy. For more information, see Creating an access request policy.

    3. Comment: If required, enter information about this request. When multiple accounts are specified in the request, if any of the selected accounts require a comment, you must enter a comment. The comment will be applied to all of the requests associated with this access request. The limit is 1000 characters.

  5. To save the access request as a favorite, select Save this request as a favorite and enter a name for the request.

    This access request is then added to your Favorites. In the web client, favorites are displayed on the (Home) page and the (My Requests) page.

  6. After entering the required information, click Submit Request.

    If the access requests submitted were unsuccessful, additional information appears on how to address the issues. Solve them, then submit the requests again.

When the request has been approved, you can use the file. For more information, see Taking action on a file release request.

Taking action on a file release request

The actions that can be taken on a file release request depends on the state of the request.

To take action on a file release request

  1. From the web client, click (My Requests). Use any of the following methods to control the request that appears:

    • Click (Add or Remove), then select one of the following options:

      • To check in all available requests, click Check-In All Available.

      • To remove all requests, click Clear All.

      • To cancel and remove all pending requests, click Cancel All Pending Time Requested.

    • Click (Sort By), then select to sort by Account Name, Asset Name, Due Next, Expiring Next, Most Recent, or Status.

    • To sort in ascending or descending order, click (Sort up) or (Sort down).

    • To filter the requests by their status, click (Filters) You can filter to the following request states:

      • Available: Approved requests that are ready to view or copy.

      • Pending Approval: Requests that are waiting for approval.

      • Approved: Requests that have been approved but their check out time has not arrived, or pending accounts restored via the SPS suspend feature.

      • Revoked: Approved requests retracted by the approver. The approver can revoke a request after the request became available.

      • Expired: Requests for which the Checkout Duration has elapsed.

      • Denied: Requests denied by the approver.

    • To see a list of searchable elements, click (Search), or enter search characters. For more information, see Search box.

    • If a denied or revoked request has been commented on by an approver, then to view the comment, click the (Comments) button of the request.

  2. You can take any of the following actions on the file release request:

    • Available request:

      1. The name, account, and remaining time appears. Use the drop-down menu to select the (Download File) button or the (Fetch File Details) drop-down.

      2. The following actions are available in the (Fetch File Details) drop-down.

        • (Fetch File Details): Shows the name, version, file size and file hashes.

        • (Copy Password): Copies the account password.

        • (View Password): Shows the account password.

      3. If the Access Request Policy is also set to release the SSH key, the following additional actions are also available in the (Fetch File Details) drop-down.

        • (Download PuTTY): Downloads the PuTTY connection details.

        • (Download OpenSSH): Downloads the OpenSSH connection details.

        • (Download SSH2): Downloads the SSH2 connection details.

      4. To complete the file check out process, click (Check-In Request).

Approving a file release request

Depending on how the Security Policy Administrator configured the policy, a file release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.

You can configure Safeguard for Privileged Passwords to notify you of a file release request that requires your approval. For more information, see Configuring alerts.

To approve or deny a file release request

To manage approvals, on the left of the page, click Approvals. On the Approvals page, you can:

  • View details by selecting a request, then looking at the details display on the right of the page, including the workflow.

  • Approve one or more request: Select the requests and click (Approve all selected requests). Optionally, enter a comment.

  • Deny one or more request: Select the requests and click (Deny all selected requests). Optionally, enter a comment.

  • Change the columns that appear: Click (Columns) and select the columns you want to see. You can select columns including the following information:

    • Action: Displays (Approve only this request) and (Deny only this request).

    • Requester / Status: Displays the user name and the status of the approval (for example, Pending 1 approval).

    • Asset / Access Type: Displays the name of the asset and the type of access (for example, Password, SSH Key, RDP, SSH, API Key, or Telnet).

    • Account: Displays the managed account name.

    • Ticket Number: Displays the ticket number, if required.

    • Requested For: Displays the date and time as well as the window of availability (for example, March 20, 2021 9:56 AM 2 hours).

  • Search: To see a list of searchable elements, click (Search). For more information, see Search box.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択