지금 지원 담당자와 채팅

라이브 도움말 보기
등록 완료

로그인

가격 산정 요청

영업 담당자에게 문의

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

콘텐츠 탐색

Introduction to One Identity Safeguard for Privileged Passwords

Overview of the entities

Appliance specifications

System requirements and versions

Desktop client system requirements Web client system requirements Web management console system requirements Supported platforms Licenses Long Term Support (LTS) and Feature Releases

Using API and PowerShell tools

Customize the response using API query parameters

Using Safeguard PowerShell

Using the virtual appliance and web management console

Setting up the virtual appliance Virtual appliance backup and recovery Support Kiosk

Cloud deployment considerations

AWS deployment Azure deployment Virtual appliance backup and recovery

Setting up Safeguard for Privileged Passwords for the first time

Step 1: Create the Authorizer Administrator Step 2: Authorizer Administrator creates administrators Step 3: Appliance Administrator configures the appliance Step 4: User Administrator adds users Step 5: Asset Administrator adds managed systems Step 6: Security Policy Administrator adds access request policies

Using the web client

Home My Requests (web client) Personal password vault (web client) Approvals (web client) Reviews (web client) Favorites (web client) My Settings (web client)

Change password (web client) FIDO2 keys (web client)

Log out (web client)

Getting started with the desktop client

Installing the desktop client Starting the desktop client Uninstalling the desktop client

Using the desktop client

Settings (desktop client) User information and log out (desktop client) Desktop client favorite request Desktop client navigation pane

Access Requests

Viewing details

Account Automation

Running an entitlement report Running an ownership report Converting time stamps

Administrative Tools

Toolbar options

Activity Center

Applying search criteria Saving search criteria Generating an activity audit log report Scheduling an activity audit log report Editing or deleting a saved search or scheduled report Viewing event details Auditing request workflow Filtering report results Sorting report results

Search by attribute

Privileged access requests

Configuring alerts

Toast notifications Email notifications

Password release request workflow

Requesting a password release

Taking action on a password release request

Approving a password release request Reviewing a completed password release request

SSH key release request workflow

Requesting an SSH key release

Taking action on an SSH key release request

Approving an SSH key release request Reviewing a completed SSH key release request

Session request workflow

About sessions and recordings Requesting session access

Taking action on a session request

Approving a session request Launching the SSH client Launching an RDP session Configuring and launching a Remote Desktop Application session Reviewing a session request Replaying a session Following and terminating a "live" session

Viewing task status Stopping a task

General tab/Properties (account) Owners tab (account) Access Request Policies tab (account) Account Groups tab (account) Dependent Assets (account) Check and Change Log tab (account) Discovered SSH Keys (account) History tab (account) Managing accounts

Adding an account Adding a cloud platform account Manually adding a tag to an account Adding an account to one or more account groups Deleting an account Adding users or user groups to an account Importing objects

Creating an import file

Checking, changing, or setting an account password Viewing password archive Checking, changing, or setting an SSH key Viewing SSH key archive

General/Properties tab (account group) Accounts tab (account group) Access Request Policies tab (account group) History tab (account group) Managing account groups

Adding an account group Adding a dynamic account group

General tab (add dynamic account group) Account Rules tab (add dynamic account group) Summary tab (add dynamic account group)

Adding one or more accounts to an account group Adding accounts to an access request policy Deleting an account group

General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets

Adding an asset (desktop client)

General tab (add asset desktop client) Management tab (add asset desktop client) Connection tab (add asset desktop client)

About service accounts About Test Connection SSH Key (add asset desktop client) Directory Account (add asset desktop client) Starling Connect (add asset desktop client) Local System Account (add asset desktop client) Password (local service account desktop client) Access Key (add asset desktop client) None

Attributes tab (add asset desktop client)

Adding an asset (web client)

General tab (add asset web client) Connection tab (add asset web client)

About service accounts About Test Connection SSH Key (web client) Directory Account (web client) Starling Connect (web client) Local System Account (web client) Password (local service account web client) Access Key (web client) None

Management tab (add asset web client) Attributes tab (edit asset web client)

Checking an asset's connectivity Assigning an asset to a partition Assigning a profile to an asset Manually adding a tag to an asset Adding an account to an asset Adding account dependencies Adding users or user groups to an asset Adding an asset to asset groups Deleting an asset Account Discovery tab (add asset) Importing objects Downloading a public SSH key

General/Properties tab (asset group) Assets tab (asset group) Access Request Policies tab (asset group) History tab (asset group) Managing asset groups

Adding an asset group Adding a dynamic asset group

General tab (add dynamic asset group) Asset Rules tab (add dynamic asset group) Summary tab (add dynamic asset group)

Adding assets to an asset group Deleting an asset group

Asset Discovery

Asset Discovery job workflow Adding an Asset Discovery job

General tab (asset discovery) Information tab (asset discovery) Rules/Asset Discovery Rules tab (asset discovery)

Add Condition (asset discovery) Edit Connection Template (asset discovery) Add Asset Profile (asset discovery)

Schedule tab (asset discovery) Summary tab (asset discovery)

Deleting an Asset Discovery job

Asset Discovery Results Account Discovery

Account Discovery job workflow Adding an Account Discovery job

Adding an Account Discovery rule

Deleting an Account Discovery job

Account Discovery Results Discovered Accounts Service Discovery Results Discovered Services SSH Key Discovery

SSH Key Discovery job workflow Adding an SSH Key Discovery job SSH Key Discovery Results Discovered SSH Keys

General tab (entitlements) Users tab (entitlements) Access Request Policies tab (entitlements) History tab (entitlements) Managing entitlements

Adding an entitlement (desktop client) Adding an entitlement (web client) How Safeguard for Privileged Passwords evaluates policy when a user submits an access request Creating an access request policy (desktop client)

General tab (create access request policy desktop client) Scope tab (create access request policy desktop client) Requester tab (create access request policy desktop client) Approver tab (create access request policy desktop client) Reviewer tab (create access request policy desktop client) Access Config tab (create access request policy desktop client) Session Settings tab (create access request policy desktop client) Time Restrictions tab (create access request policy desktop client) Emergency tab (create access request policy desktop client)

Creating an access request policy (web client)

General tab (create access request policy web client) Security tab (create access request policy web client) Scope tab (create access request policy web client) Workflow tab (create access request policy web client)

Adding users or user groups to an entitlement Deleting an access request policy Modifying an access request policy Copying an access request policy Viewing and editing policy details Deleting an entitlement

Linked Accounts

Users (linked accounts) Accounts (linked accounts) Managing linked accounts

Linking a user to an account Linking an account to a user Removing a linked account from a user Removing a user from a linked account

About profiles General/Properties tab (partitions) Assets tab (partitions) Accounts tab (partitions) Owners tab (partitions) Password Profiles tab (partitions) SSH Key Profiles tab (partitions) History tab (partitions) Managing partitions

Adding a partition Adding assets to a partition Adding an account to a partition (web client) Removing assets from a partition Adding users or user groups to a partition Creating a password profile Creating an SSH key profile Setting a default partition Setting a default profile Assigning assets or accounts to a password profile and SSH key profile Deleting a partition

Password Profiles (profiles)

Properties tab (profiles) Assets tab (profiles) Accounts tab (profiles) View Password Profile Components (profiles)

SSH Key Profiles (profiles)

View SSH Key Profile Components (profiles)

Managing profiles

Adding a password profile Setting a default password profile Deleting a password profile Adding an SSH key profile Setting a default SSH key profile Deleting an SSH key profile

Access Request settings

Enable or disable access request and services Reasons

Appliance settings

Appliance Diagnostics Appliance Information

Shutting down the appliance Restarting the appliance Setting the appliance name

Debug Enable or disable A2A and audit log stream Factory Reset Licensing settings Lights Out Management (BMC) Network Diagnostics

ARP Netstat NS Lookup Ping Show Routes Telnet Throughput Trace Route

Networking Operating System Licensing SSH Algorithms Patch Updates Power Support bundle Time Updates

Asset Management settings

Custom platforms

Creating a custom platform script Adding a custom platform

Registered Connectors

Adding a registered connector

Adding a tag for tagging of assets or asset accounts Deleting an asset or asset account tag Modifying an asset or asset account tag Copying an asset or asset account tag to another partition Viewing asset and asset account tag assignments

Backup and Retention settings

About backups Archive servers

Adding an archive server

Audit Log Maintenance Backup and Restore

Run Now Download a backup Upload a backup Restore a backup Archive backup Backup settings Backup protection settings

Backup Retention Authorize VM Compatible Backups (web client)

Certificates settings

About Certificate Signing Requests (CSRs) Audit Log Signing Certificate

Creating an audit log Certificate Signing Request Installing an audit log certificate

Certificate Signing Request Hardware Security Module Certificates

Installing a Hardware Security Module client certificate Assigning a Hardware Security Module client certificate Uploading a Hardware Security Module server certificate

SMTP Certificate

Creating an SMTP Certificate Signing Request Installing an SMTP certificate

SSL/TLS Certificates

Creating an SSL/TLS Certificate Signing Request Installing an SSL/TLS certificate Assigning an SSL/TLS certificate to appliances

Syslog Client Certificate

Creating a syslog client Certificate Signing Request Installing a syslog client certificate

Trusted CA Certificates

Adding a trusted certificate Removing a trusted certificate

Cluster settings

Cluster Management

Unlocking a locked cluster

Managed Networks

Adding a managed network Deleting a managed network Resolving IP address

Offline Workflow (automatic)

Enable automatic Offline Workflow Manually override automatic Offline Workflow

Session Appliances with SPS link

Enable or Disable Services settings External Integration settings

Application to Application

About Application to Application functionality Setting up Application to Application Adding an application registration Deleting an application registration Regenerating an API key Making a request using the Application to Application service

Approval Anywhere

Adding authorized user for Approval Anywhere

Enabling email notifications

Email Templates Hardware Security Module SNMP

Configuring SNMP subscriptions Verifying SNMP configuration

Join Starling After joining Starling Unjoin Starling

Cloud Assistant

Adding authorized user for Cloud Assistant

Configuring and verifying a syslog server

Add a syslog event subscriber

Ticketing systems

ServiceNow ticketing system integration Remedy ticketing system integration Not integrated with ticketing system

Trusted Servers, CORS, and Redirects

Password Management settings

Account Password Rules

Adding an account password rule

Change Password

Adding change password settings

Adding check password settings

Password sync groups

Adding a password sync group Modifying a password sync group

Real-Time Reports Safeguard Access settings

Messaging settings

Login Notification Message of the Day

Local Login Control Local Password Rule

Modifying user password requirements

Time Zone Identity and Authentication

Authentication provider combinations Adding identity and authentication providers

SSH Key Management settings

Change SSH Key settings

Adding SSH key change settings

Check SSH Key settings

Adding SSH key check settings

Discover SSH Key settings

Adding SSH key discovery

SSH Key Sync Groups settings

Adding SSH key sync groups Modifying SSH key sync groups

Security Policy Settings

General/Properties tab (user) User Groups tab (user) Owned Objects tab (user) Entitlements tab (user) Linked Accounts tab (user) History (user) Managing users

Identity tab (add user) Authentication tab (add user) Location tab (add user) Permissions tab (add user)

Requiring secondary authentication log in

Configuring user for Starling Two-Factor Authentication when logging in to Safeguard

Adding a user to user groups Adding a user to entitlements Linking a directory account to a user Activating or deactivating a user account Deleting a user Importing objects Setting a local user's password Unlocking a local user's account

General/Properties tab (user groups) Users tab (user groups) Entitlements tab (user groups) History tab (user groups) Managing user groups

Adding a user group Adding a directory user group Adding users to a user group Adding a user group to an entitlement Deleting a user group

Disaster recovery and clusters

Enrolling replicas into a cluster Unjoining replicas from a cluster Maintaining and diagnosing cluster members

About Offline Workflow Mode

Manually control Offline Workflow Mode

Failing over to a replica by promoting it to be the new primary Activating a read-only appliance Diagnosing a cluster member Patching cluster members

About cluster patching

Using a backup to restore a clustered appliance Resetting a cluster that has lost consensus Performing a factory reset Unlocking a locked cluster

Troubleshooting tips

Appliance states

Administrator permissions

Appliance Administrator permissions Asset Administrator permissions Auditor permissions Authorizer Administrator permissions Help Desk Administrator permissions Operations Administrator permissions Security Policy Administrator permissions User Administrator permissions

Preparing systems for management

Preparing ACF - Mainframe systems Preparing Amazon Web Services platforms Preparing Cisco devices Preparing Dell iDRAC devices Preparing VMware ESXi hosts Preparing Fortinet FortiOS devices Preparing F5 Big-IP devices Preparing HP iLO servers Preparing HP iLO MP (Management Processors) Preparing IBM i (AS/400) systems Preparing JunOS Juniper Networks systems Preparing MongoDB Preparing MySQL servers Preparing Oracle databases Preparing PAN-OS (Palo Alto) networks Preparing PostgreSQL Preparing RACF mainframe systems Preparing SAP HANA Preparing SAP Netweaver Application Servers Preparing Sybase (Adaptive Server Enterprise) servers Preparing SonicOS devices Preparing SonicWALL SMA or CMS appliances Preparing SQL Servers Preparing Top Secret mainframe systems Preparing Unix-based systems Preparing Windows systems Preparing WinRM systems Preparing Windows SSH systems Minimum required permissions for Windows assets

Troubleshooting

Appliance is sick Connectivity failures

Change password or SSH key fails Incorrect authentication credentials Missing or incorrect SSH host key No cipher supported error Service account has insufficient privileges

Cannot connect to remote machine through SSH or RDP Cannot delete account Cannot play session message Domain user denied access to Safeguard for Privileged Passwords LCD status messages

Appliance LCD and controls

My Mac keychain password or SSH key was lost Password fails for Unix host Password or SSH key is pending review Password or SSH key is pending a reset Password or SSH key profile did not run Recovery Kiosk (Serial Kiosk)

Appliance information (Recovery Kiosk) Power options

Rebooting the appliance Shutting down the appliance

Admin password reset Factory reset from the Recovery Kiosk Support bundle

Replica not adding System services did not update or restart after password or SSH key change Test Connection failures

Test Connection failures on archive server Certificate issue Cipher support Domain controller issue Networking issue Windows WMI connection

Timeout errors causing operations to fail User locked out User not notified

Frequently asked questions

How do I audit transaction activity How do I configure external federation authentication

How do I add an external federation provider trust How do I create a relying party trust for the STS How do I add an external federation user account

How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I set up telnet and TN3270/TN5250 session access requests How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine When does the rules engine run for dynamic grouping and tagging Why did the password or SSH key change during an open request

Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Preparing Amazon Web Services platforms

Safeguard for Privileged Passwords supports Amazon Web Services (AWS), a secure cloud services platform.

When adding an Amazon Web Services asset, the Network Address must contain the AWS Account ID or Alias.

To prepare Amazon Web Services platforms for Safeguard for Privileged Passwords

In Safeguard for Privileged Passwords:
1. Add Amazon's certificate and AWS certificate's root certificate authority (CA) to the Trusted Certificates store in Safeguard for Privileged Passwords.
2. Configure an Identity and Access Management (IAM) user to use as a service account.
3. Assign the IAM service account to the AdministratorAccess security policy.
In Amazon:
1. Create an access key for the IAM service account. Amazon creates a pair of data items called a Secret Key and a public Access Key ID. Take a note of both the Access Key ID and Secret Key. You will need them when you add the Amazon Web Services asset to Safeguard for Privileged Passwords.

Preparing Cisco devices

There are 4 Cisco platforms supported in Safeguard for Privileged Passwords:

Cisco ISE CLI platform: Safeguard for Privileged Passwords uses a local service account to manage accounts on the ISE CLI platform using SSH.
Cisco IOS/ASA platform: Cisco IOS/ASA platforms can be configured in the following ways to manage local accounts using SSH:
- Safeguard for Privileged Passwords uses a local service account to manage accounts on the Cisco device.
- If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Cisco ISE directory asset to manage the Cisco device.
- If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that is integrated with an Active Directory domain that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Active Directory asset to manage accounts on the Cisco device.
Cisco ISE platform: Cisco ISE is managed as a directory asset in Safeguard for Privileged Passwords. It uses REST and TACACS+ to manage local accounts. It supports account discovery and password management. It does not support directory synchronization, asset discovery, or service discovery.
Cisco NX-OS platform: In order to perform all required operations on users, the service account used requires at least network-admin privileges.

Closed

Cisco ISE CLI platform

Closed

Cisco IOS/ASA platform

Closed

Cisco ISE platform

Closed

Cisco NX-OS platform

Preparing Dell iDRAC devices

Safeguard for Privileged Passwordssupports the Dell Remote Access Controller that is integrated with Dell PowerEdge servers. Safeguard for Privileged Passwords uses the SSH protocol to connect to iDRAC devices.

To prepare an iDRAC device for Safeguard for Privileged Passwords

Use iDRAC to create a service account with administrator privileges and assign it a password.

The service account must have login privileges and must be able to configure users.
Verify that SSH is enabled in the iDRAC Network settings.
In Safeguard for Privileged Passwords, create the asset and accounts for the iDRAC device using password authentication.

Preparing VMware ESXi hosts

Safeguard for Privileged Passwords supports VMware ESXi hosts.

IMPORTANT: Safeguard for Privileged Passwords can only manage local users on a VMware host.

To prepare a VMware ESXi host for Safeguard for Privileged Passwords

Use an existing account or create a new account as the service account on the asset and assign it a password.

The default administrator account is suitable.
Grant the service account the privileges required to set user passwords using the web management API.
When adding a VMware ESXi host to Safeguard for Privileged Passwords:
1. Specify the network address.
2. Specify port 443 as the HTTPS port.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center