Account Discovery
Account Discovery jobs include the rules Safeguard for Privileged Passwords uses to perform account discovery against assets. When you add an Account Discovery job, you can identify whether or not to automatically manage found accounts, whether to discover services, and whether to automatically configure dependent systems.
The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account..
To configure and schedule Account Discovery jobs, perform one of the following:
Supported platforms
Safeguard for Privileged Passwords supports account discovery on the following platforms:
- AIX
- HP-UX
- Linux / Unix (based)
- MAC OS X
- Solaris
- Starling Connect
- Windows (services and tasks)
- MySQL
- Postgres
- SQL Server
- Oracle
- iDrac
- HP iLO
- HP iLO MP
Properties and toolbar
Go to Account Discovery:
- web client: Navigate to Asset Management > Discovery > Accounts.
Use these toolbar buttons to manage the Account Discovery jobs.
Table 137: Account Discovery: Toolbar
New Account Discovery Job |
Add an Account Discovery job. For more information, see Adding an Account Discovery job. |
Delete |
Delete the selected Account Discovery job. |
View Details |
Modify the selected Account Discovery job. You can also double-click a row to open the edit dialog. |
Discover Accounts |
Discover the accounts on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays which shows the progress and completion. |
Discover Services |
Discover the services on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays which shows the progress and completion. |
Occurrences |
Add, delete, or refresh the assets associated with the Account Discovery job.
IMPORTANT: You must associate the assets to the Account Discovery job for the accounts to be found. |
Export |
Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data. |
Refresh |
Update the list of Account Discovery jobs. |
Search |
Enter the character string to be used to search for a match. For more information, see Search box.. |
Account Discovery jobs display in the grid.
Table 138: Account Discovery: Account Discovery job grid
Name |
Name of the discovery job. |
Created By |
The creator of the job. |
Discovery Type |
The type of discovery performed, for example, Windows, Unix, Starling Connect, or Directory. |
Directory |
The directory on which the discovery job runs. |
Partition |
The partition in which to manage the discovered assets or accounts. |
Schedule |
Designates when the discovery job runs. |
Discover Services |
A check mark displays if the job will discover service accounts. |
Auto Configure |
A check mark displays if the accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset. |
Assets |
Total number of assets assigned to the Account Discovery job. A Caution displays if no accounts are assigned to the Account Discovery job therefore no data will be discovered. |
Description |
The description of the discovery job. |
Account Discovery job workflow
Safeguard for Privileged Passwords's Account Discovery jobs discover accounts of the assets that are in the scope of a profile. Account Discovery jobs can be assigned to multiple assets in the same partition. Account Discovery jobs can include service discovery.
You can configure, schedule, test, and run Account Discovery jobs. After the job has run, you can select whether to manage the account, if it was not identified to be automatically managed.
-
Create an Account Discovery job and associate assets or create an asset and associate the Account Discovery job. For more information, see Adding an Account Discovery job and Adding an asset.
-
Account Discovery jobs can be scheduled to run automatically. In addition, you can manually launch these jobs in any of the following ways:
-
After the Account Discovery job runs, you can mark the managed accounts from Discovery > Discovered Items > Accounts:
For information about discovery jobs that have run, search the Activity Center. Safeguard for Privileged Passwords lists the account discovery events in the Account Discovery Activity category.
Adding an Account Discovery job
It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account Discovery job workflow..
To add an Account Discovery job
- Navigate to Asset Management > Discovery > Accounts.
- Click New Account Discovery Job to open the New Account Discovery Job dialog.
- On the General tab, enter the following information:
-
On the Information tab, enter the following information:
-
Discovery Type: Select the platform (Directory, Role Based, SPS, Starling Connect, Unix, or Windows). Make sure the Discovery Type is valid for the assets associated with the partition selected on the General tab.
-
Discover Services: (For Windows accounts only and deselected by default) Select this check box so that when the discovery job is run, services are discovered.
If Discover Services is selected, the Automatically Configure Dependent Systems check box is also available. Select this check box so that any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. Once dependencies are found they can only be removed manually from Account Dependencies tab (asset).
-
The Account Discovery Rules tab is only available after an account discovery job has been created. For more information, see Adding an Account Discovery rule.
- On the Schedule tab, enter the following information:
-
Select a time frame:
- Never: The job will not run according to a set schedule. You can still manually run the job.
- Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
-
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.
-
Days: The job runs on the frequency of days and the time you enter.
For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.
-
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
-
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.
-
Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Run Every 10/Minutes and set Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.
If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.
-
Click OK.
-
Select the assets to which the account discovery rule applies using one of these approaches:
Adding an Account Discovery rule
Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.
You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.
NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.
For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.
All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.
To add an Account Discovery rule
- Navigate to Asset Management > Discovery > Accounts.
- Select an existing account discovery job, and click View Details.
- On the Account Discovery Rules tab, click Edit.
- Click Add to open the New Account Discovery Rule dialog.
- Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
-
Find By: Select one of the types of search below.
If the Discovery Type on the previous Account Discovery dialog is Windows, Unix, or Role Based; you can search by Constraints or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
- Name: Select this option to search by account name.
- For a regular search (not directory), in Contains enter the characters to search.
- If you are searching a directory:
- Select Start With or Contains and enter the characters used to search subset within the forest. When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
- Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
- Select Include objects from sub containers to include sub containers in the search.
- Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
- Group: Select this option to search by group name.
- Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
- Password Sync Group: Click Browse to select a password sync group to control validation and reset across all associated accounts. You can also use Add to add a new sync group. See: Password sync groups.
- Password Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a password profile to identify the configuration settings for the discovered accounts. You can also use New Profile to add a new password profile. For more information, see Password Profiles tab (partitions)..
-
Set default password: If Set default password is selected, the password you enter is a placeholder for the discovered asset until the password is changed for the first time on the asset. If Set default password is not selected, no password is stored until the password is changed for the first time on the asset. If the account is requested before the password is changed, an error may result. The default password is set in Safeguard for Privileged Passwords but not on the asset.
NOTE: If an Account Discovery Rule is configured to set a password, and a password profile (selected via the Assign to Password Profile option) is also configured to automatically change passwords, the change password schedule takes precedence and the account will have its password changed upon discovery.
- SSH Key Sync Group: Click Browse to select the SSH key sync group. For more information, see SSH Key Sync Groups settings..
- SSH Key Profile: If a profile was not automatically assigned for a sync group, cFor more information, see SSH Key Profiles tab (partitions)..
-
Set default SSH Key: Select to set a default SSH key. On the Import an SSH Key dialog, you can import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK. When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.
NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.
-
Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
- Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which they are an authorized user.
- Enable SSH Key Request: This check box is selected by default, indicating that SSH key release requests are enabled for this account. Clear this option to prevent someone from requesting the SSH key for this account. By default, a user can request the SSH key for any account in the scope of the entitlements in which they are an authorized user.
-
Enable API Key Request: This check box is selected by default, indicating that API key release requests are enabled for this account. Clear this option to prevent someone from requesting the API key for this account. By default, a user can request the API key for any account in the scope of the entitlements in which they are an authorized user.
- (For directory accounts only) Available for use across all partitions (Global Access): When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
- Tags: This tab allows you to select tags or add new tags with rules.
- Click Apply.
- Click OK to save the Account Discovery job.