Adding users to a user group
It is the responsibility of an Authorizer Administrator, User Administrator, or Security Policy Administrator to add users to local Safeguard for Privileged Passwords groups. For directory user groups, you cannot manually add or remove users. Instead, those groups will automatically be synchronized with the Active Directory or LDAP server they came from.
To add users to a user group
-
Navigate to:
-
In User Groups, select a user group from the object list and open the Users tab.
-
Click Add User from the details toolbar.
-
Select one or more users from the list in the Users dialog and click OK.
IMPORTANT: You cannot add a group to a user group's membership; group membership cannot be nested.
Adding a user group to an entitlement
When you add user groups to an entitlement, you are specifying which people can request access to the accounts and assets governed by an entitlement's policies. It is the responsibility of the Security Policy Administrator to add user groups to entitlements.
To add a user group to entitlements
-
Navigate to:
- web client: Security Policy Management > User Groups or User Management > User Groups.
- In User Groups, select a user group from the object list and open the Entitlements tab.
- Click Add Entitlement from the details toolbar.
- Select one or more entitlements from the Entitlements dialog and click OK.
Deleting a user group
Both Authorizer Administrator and User Administrator can delete local and directory user groups. A Security Policy Administrator can only delete local groups without permissions on them.
When you delete a user group, Safeguard for Privileged Passwords does not delete the users associated with it.
To delete a user group
-
Navigate to:
- web client: Security Policy Management > User Groups or User Management > User Groups.
- In User Groups, select a user group from the list.
- Click Delete.
- Confirm your request.
Security Policy Settings
In the web client, Security Policy Management has a settings page used to manage Sessions Password Access and the Audit Log Stream Service. You can also manage the reasons for requesting access to a password, SSH key, or session.
Navigate to Security Policy Management > Settings to manage the settings listed below.
Table 218: Security Policy Settings
Maximum Notification Recipients |
Set the maximum number of notification recipients. |
Expiration Warning Duration |
Enter the number of days for the warning to expire. |
Show User Name in Access Request Conflict Messages |
When the check box is selected, if there is a conflicting access request for the time period a user wants to request, the error message will include the name of the user who requested the conflicting access request. When the check box is cleared, the error message will show the access request id instead. This check box is cleared by default. |
Allow Access Request Search by Tags |
This option allows you to find requestable accounts by searching for tags. This feature is disabled by default.
NOTE: When the Allow Access Request Search by Tags option is turned off, the Asset Tags column, the Account Tags column, and the Advanced Search boxes are not available in the New Access Request window. |
Session Password Access Enabled |
Use this to enable or disable session password access. This feature is disabled by default. |
Audit Log Stream Service |
Use this to send SPP data to SPS to audit the Safeguard privileged management software suite. The feature is disabled by default.
To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.
SPP and SPS must be linked to use this feature. For more information, see Safeguard for Privileged Passwords and SPS appliance link guidance.
While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.
NOTE: This setting is also available under Appliance Management. For more information, see Global Services. |
Reasons |
From this pane you can manage the reasons for requesting access to a password, SSH key, or session. For more information, see Reasons. |