지금 지원 담당자와 채팅
지원 담당자와 채팅

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Adding an Account Discovery rule

Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.

You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.

NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.

For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.

All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.

To add an Account Discovery rule

  1. Navigate to Asset Management > Discovery > Accounts.
  2. Select an existing account discovery job, and click View Details.
  3. On the Account Discovery Rules tab, click  Edit.
  4. Click Add to open the New Account Discovery Rule dialog.
  5. Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
  6. Find By: Select one of the types of search below.

    If the Discovery Type on the previous Account Discovery dialog is Windows or Unix, you can search by Constraints or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.

      • Name: Select this option to search by account name.
        • For a regular search (not directory), in Contains enter the characters to search.
        • If you are searching a directory:
          • Select Start With or Contains and enter the characters used to search subset within the forest.
            When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • Select Include objects from sub containers to include sub containers in the search.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Group: Select this option to search by group name.
        • Click  Add to launch the Group dialog.
        • Starts withor Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

        • Filter Search Location. Click Browse to select a container to search within the directory.
        • Include objects from sub containers: Select this check box to include child objects.
        • Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
        • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Constraints: Select this option to search for accounts based on an account's property. Available Unix properties are GID, UID, Name, and Group. Available Windows and Directory properties are RID, GID, UID, Name, and Group. All are limited to 255 numeric characters.

        IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.

        • Selections:

          • RID (ranges): RID property only applies to Windows and Microsoft Active Directory. Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1000 followed by a space, then type in 5000-7000.
          • GID (ranges): Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 8 followed by a space, then type in 10-12.

          • UID (ranges): Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1 followed by a space, then type in 5-7.

          • Name (RegEx): Using Name (RegEx) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.

          • Group (RegEx): Using Group (RegEx) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.

        • If you are searching a directory:
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • To include sub containers in your search, select Include objects from sub containers.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
  7. Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
  8. Password Sync Group: Click Browse to select a password sync group to control validation and reset across all associated accounts. You can also use  Add to add a new sync group. See: Password sync groups.
  9. Password Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a password profile to identify the configuration settings for the discovered accounts. You can also use  New Profile to add a new password profile. For more information, see Password Profiles tab (partitions).
  10. Set default password: If Set default password is selected, the password you enter is a placeholder for the discovered asset until the password is changed for the first time on the asset. If Set default password is not selected, no password is stored until the password is changed for the first time on the asset. If the account is requested before the password is changed, an error may result.
    The default password is set in Safeguard for Privileged Passwords but not on the asset.

    NOTE: If an Account Discovery Rule is configured to set a password, and a password profile (selected via the Assign to Password Profile option) is also configured to automatically change passwords, the change password schedule takes precedence and the account will have its password changed upon discovery.

  11. SSH Key Sync Group: Click Browse to select the SSH key sync group. For more information, see SSH Key Sync Groups settings.
  12. SSH Key Profile: If a profile was not automatically assigned for a sync group, cFor more information, see SSH Key Profiles tab (partitions).
  13. Set default SSH Key: Select to set a default SSH key. On the Import an SSH Key dialog, you can import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.
    When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.

    NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

  14. Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
  15. Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which they are an authorized user.
  16. Enable SSH Key Request: This check box is selected by default, indicating that SSH key release requests are enabled for this account. Clear this option to prevent someone from requesting the SSH key for this account. By default, a user can request the SSH key for any account in the scope of the entitlements in which they are an authorized user.
  17. (For directory accounts only) Available for use across all partitions (Global Access): When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
  18. Tags: This tab allows you to select tags or add new tags with rules.
  19. Click Apply.
  20. Click OK to save the Account Discovery job.

Deleting an Account Discovery job

You can delete an Asset Discovery job.

To delete an Account Discovery job

  1. Navigate to Asset Management > Discovery > Accounts.
  2. Select an Account Discovery job.
  3. Click Delete to delete the selected Account Discovery job.
  4. Click Yes.

Account Discovery Results

You can view the results of running one or more Account Discovery jobs. To see the results of discoveries, see Discovered Accounts

To view Account Discovery results

  1. Navigate to Asset Management > Discovery > Accounts (add or edit a Account Discovery job).
  2. On the Account Discovery Results tab:
    • Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
    • Click Refresh to refresh the results.
  3. View the following information displays for each job:
    • Date/Time: The most recent date the Account Discovery job successfully ran.
    • User: The user who ran the job or Automated System, if the job is run on an automated schedule.
    • Event: The outcome of running the Account Discovery job event, which may be Account Discovery Succeeded, Account Discovery Failed, or Account Discovery Started.
    • Asset: The asset which is associated with the Account Discovery job.
    • Partition: The partition in which the discovered accounts will be managed.
    • Profile: The profile which will govern the discovered accounts.
    • Appliance: The name of the Safeguard for Privileged Passwords Appliance.
    • # Accounts: The number of accounts found during the discovery job; click to view details.

Discovered Accounts

You can view the results of all Account Discovery jobs that have ever run in a partition (in other words, all accounts ever discovered) and choose to enable or disable the accounts.

Accounts created display as managed accounts in the Discovered Accounts properties grid (see below). For more information, see .

Go to Discovered Accounts:

  • web client: Navigate to Asset Management > Discovery > Discovered Items > Accounts tile.

Use these toolbar buttons to manage the discovered accounts.

Table 127: Discovery: Discovered Accounts toolbar
Option Description

Manage

Click Manage to change the status to managed for one or more selected accounts. Accounts that are managed by Safeguard for Privileged Passwords will be added to the asset's list of accounts and access request policies. The Discovery job may mark the accounts managed, or they can be selected and marked managed using this button.

Ignore

Click Ignore to set the Status to Ignore to prevent Safeguard for Privileged Passwords from managing the selected account. If the status of the account is None then the resulting status will be Ignored.

If the status of the account is Managed then you will need to use the Accounts page to change the status.

Show Ignored

Display the accounts with a Status of Ignored.

Hide Ignored

Hide the accounts with a Status of Ignored.

Export

Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

Refresh

Retrieve and display an updated list of discovered accounts. Ignored accounts are not displayed if Hide Ignored is selected.

Search

Enter the character string to be used to search for a match. For more information, see Search box.

The following information displays.

Table 128: Discovery: Discovered Accounts properties grid
Property Description

Status

The discovered account may be:

  • Managed: A discovered account that is managed.
  • None: A discovered account that was not auto managed when discovered.
  • Ignored: A discovered account that was not auto managed and was ignored from discovery.
  • Disabled: A discovered account that previously had the status of Managed and then was marked Ignored. A disabled account is not removed from the Asset account list nor unconfigured as a dependent account. It is marked disabled and cannot be used or acted upon.

Name

The name of the account in Safeguard that maps to the discovered account associated with the asset. This can be a local account or an Active Directory account

Domain Name

The domain name of the account if the account is an Active Directory account.

Asset Name

The name of the asset the account was discovered on.

Account Discovery Job

Name of the discovery schedule.

Asset Discovery Rule

The name of the Asset Discovery rule applied that discovered the account.

Date/Time Discovered

The date and time when the service or task was discovered.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택