サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding account dependencies

One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.

You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset.

To configure account dependencies on an asset

  1. Directory accounts:

    1. You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account.

    2. From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account.

  2. Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account if the asset is a Windows Server platform. If the asset is a Windows SSH platform, then to update dependent accounts, the service account must be a domain account.

    IMPORTANT: For Windows SSH assets, a local account does not have the access necessary to discover services running as domain accounts. So if a local account is used, Safeguard for Privileged Passwords will only discover services running as local accounts, and domain account dependencies will not be updated.

    Follow these steps:

    1. Navigate to web client: Asset Management > Assets.

    2. Select the asset (such as a Windows Server instance) from the object list and open the Account Dependencies tab.

    3. Click (New Account) from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.

  3. Profiles:

    1. The target directory account must be in the same profile as the dependent asset.

    2. You must configure the dependent asset's profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a password profile.

Adding users or user groups to an asset

When you add users to an asset, you are specifying the users or user groups that have ownership of an asset.

It is the responsibility of the Asset Administrator (or delegated partition owner) to add users or user groups to assets. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions..

To add users to an account

  1. Navigate to Asset Management > Assets.
  2. In Assets, select an asset from the object list and click View Details.
  3. Open the Owners tab.
  4. Click  Add.
  5. Select one or more users or user groups from the list in the Select users and groups dialog.
  6. Click Select Owners to save your selection.

Deleting an asset

The Asset Administrator can delete an asset even if there are active access requests.

IMPORTANT: When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.

To delete an asset

  1. Navigate to Asset Management > Asset.
  2. Select the asset to be deleted.
  3. Click Delete.
  4. Confirm your request.

Account Discovery tab (add asset)

The Account Discovery tab is only available after an Active Directory or SPS asset has been created. On the Account Discovery tab, the default is Do not perform account discovery.

To access Account Discovery:

  • web client: Navigate to Asset Management > Assets > Account Discovery.

The settings outlined in the following table are available by using the Add or Edit option available from the Account Discovery tab.

Table 115: Account Discovery tab properties
Property Description
Description

Select the description of the discovery job desired and the details of the configuration display.

Click Add to add a job or Edit to edit the job. You can click the drop-down and select Do not perform account discovery.

Partition The partition in which to manage the discovered assets or accounts.
Discovery Type The type platform, for example, Windows, Unix, or Directory.

Directory

The directory for account discovery.

Account Discovery Rules

You can click Add, Delete, Edit, or Copy to update the Rules grid.

Details about the selected account discovery setting rules may include the following based on the type of asset.

  • Name: Name of the discovery job.
  • Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule..
  • Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
  • Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
  • Set default password: A check mark displays if the rule causes default passwords to be set automatically.
  • Set default SSH key: A check mark displays if the rule causes default SSH keys to be set automatically.
  • Assign to Password Profile: The password profile assigned.
  • Assign to Sync Group: The name of the assigned password sync group.
  • Assign to SSH Key Profile: The name of the assigned SSH Key profile.
  • Assign to SSH Key Sync Group: The name of the assigned SSH Key Sync group.
  • Enable Password Request: A check mark displays if the passwords is available for release.
  • Enable Session Request: A check mark displays if session access is enabled.
  • Enable SSH Key Request: A check mark displays if SSH key request is enabled.
Schedule

Click Schedule to control the job schedule.

Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)

  • Select a time frame:

    • Never: The job will not run according to a set schedule. You can still manually run the job.
    • Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
    • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.

    • Days: The job runs on the frequency of days and the time you enter.

      For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.

    • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

      For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

    • Months: The job runs on the frequency of months at the time and on the day you specify.

      For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.

  • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

    For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

    Enter Run Every 10/Minutes and set Use Time Windows:

    • Start 10:00:00 PM and End 11:59:00 PM
    • Start 12:00:00 AM and End 2:00:00 AM

      An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

    If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

    For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

    For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択