Converse agora com nosso suporte
Chat com o suporte

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Deleting an application registration

You can delete a previously configured application registration from SPP.

To delete an application registration

  1. Navigate to Security Policy Management > Application to Application.
  2. Select the application registration to be deleted.
  3. Click the toolbar button.
  4. Confirm your request.

Regenerating an API key

If, as the Security Policy Administrator, you discover that the API key has been stolen or misplaced, you can regenerate the API key at any time. When you regenerate an API key, it invalidates the old API key and prevents any services from using that key to access the Application to Application service.

To regenerate an API key

  1. Log in to the SPP web client as a Security Policy Administrator.
  2. Navigate to Security Policy Management > Application to Application.
  3. Select an application registration from the list and click (Edit).
  4. On the Access Request Broker tab, click (Regenerate).

You can now view or copy the new API key to the clipboard and use this new API key in your third-party application to access the Application to Application interfaces. See Making a request using the Application to Application service.

Making a request using the Application to Application service

Using the Application to Application service, third-party applications can interact with SPP in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the SPP vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to SPP to retrieve a password or start a session.

A third-party application authenticates with SPP using an API key and a client certificate, rather than the bearer token normally used to authenticate SPP API requests. To make a request, you must first retrieve the API key for the application from SPP using an authorized user account (that is, using bearer token authentication), and install the correct certificate on the host that will be making the request. The certificate must be installed in the certificate store of the authorized certificate user that will make the request.

Prerequisites

To make a credential retrieval request from the third-party application

  1. Retrieve the relevant API key for the application from SPP. You can retrieve the API key using the following methods:

    Using the web client:

    • Log in to the SPP client as a Security Policy Administrator.
    • Navigate to Security Policy Management > Application to Application.
    • Select the application and click (Edit).
    • On the Credential Retrieval tab, click .

    Using the SPP API:

    • Use the following URL to retrieve the details of the registered application from the SPP API. The ID property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.

      https://<ApplianceIP>/service/core/v4/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22

    • Use the ID property in the response retrieved for the application registration to retrieve the API key for the selected account from the SPP API.

      https://<Appliance IP>/service/core/v4/A2ARegistrations/<AppId>/RetrievableAccounts?filter=AssetName%20eq%20%22<Asset Name>%22%20and%20AccountName%20eq%20%22<AccountName>%22

  2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
  3. Ensure that the selected certificate is trusted by SPP. That is, install the trusted root certificate in SPP.
  4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.

    • Set the Authorization header in the request to A2A <API key>.
    • The type can be Password or PrivateKey. Note that private keys can only be retrieved for service accounts.
    • Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:

      -CertificateThumbprint <thumbprint>

    To retrieve a credential, use the following request:

    GET https://<ApplianceIP>/service/A2A/v4/Credentials?type=Password
    Host: <ApplianceIP>
    Content-Type: application/json
    Accept: text/plain
    Authorization A2A <API Key>

    This URL returns a string response.

To make an access request broker request from the third-party application

  1. Retrieve the relevant API key for the application from SPP. You can retrieve the API key using the following methods:

    Using the web client:

    • Log in to the SPP client as a Security Policy Administrator.
    • Navigate to Security Policy Management > Application to Application.
    • Select the application and click (Edit).
    • On the Access Request Broker tab, click .

    Using the SPP API:

    • Use the following URL is retrieve the details of the registered application from the SPP API. The Id property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.

      https://<ApplianceIP>/service/core/v4/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22

    • Use the ID retrieved for the application registration to retrieve the API key from the Safeguard API:

      https://<Appliance IP>/service/core/v4/A2ARegistrations/<Id>/AccessRequestBroker/ApiKey
  2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
  3. Ensure that the selected certificate is trusted by SPP. That is, install the trusted root certificate in SPP.
  4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.

    • Set the Authorization header in the request to A2A <API key>.
    • Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:

      -CertificateThumbprint <thumbprint>

    • To create an access request, use the following request:

      POST
      Host: <Appliance IP>
      Accept             application/json
      Content-type       application/json
      Authorization           A2A <API key>
      {
           "ForUser": "<user name>",
           "ForUserId": <user id>,
           "ForProvider": “<providername>”,
      "SystemId": <system id>,
           "SystemName": "<system name>",
           "AccountId": <account id>,
           "AccountName": "<account name>",
           "AccessRequestType": "<request type>",
      “RequestedDurationDays”: <days>
           "RequestedDurationHours": <hours>,
      “RequestedDurationMinutes”: <minutes>,
      “RequestedFor”: “<date>,
           "ReasonCodeId": <reason code id>,
           "ReasonCode": "<reason name>",
           "ReasonComment": "<reason comment>",
      “IsEmergency”: <bool>,
      “TicketNumber”: “<ticket>”
       
      }

      This URL returns the new request if successful.

      Exceptions

      Most of the fields in this access request match those in a normal access request, with the exceptions noted here:

      The following fields are used to identify the target SPP user that will be used to create the request. The result must uniquely identify a valid SPP user for which the application has been granted permission to create an access request. If the search results in multiple matches or no matches, an error is returned.

      • ForUserId: The database ID of a SPP user. This takes priority if it contains a value.
      • ForUser: The name of a SPP user. This value is ignored if ForUserId contains a value.
      • ForProvider: An optional provider name, that can be used to limit the search for ForUser.

      The following fields are used to uniquely identify the target system. If the search results in multiple matches or no matches, an error is returned.

      • SystemId: The database ID of a SPP asset. This field is used to search for a matching asset in the following order:
        • System Name: Exact match on the system name
        • Network Address: Exact match on the network address
        • String search: A string search on all string properties for the asset

      The following fields are used to uniquely identify the target account. If the search results in multiple matches or no matches, an error is returned.

      • AccountId: The database ID of a SPP account. This takes priority if it contains a value.
      • AccountName: This is ignored if AccountId contains a value. This field is used to search for a matching account in the following order:
        • Account Name: Exact match on the account name
        • String search: A string search on all string properties for the account

      The following fields can be used to identify the reason code. If the search results in multiple matches or no matches, the reason code is set to null.

      • ReasonCodeId: The database ID of a predefined reason code. This takes priority if it contains a value.
      • ReasonCode: The name of a predefined reason code. This is ignored if ReasonCodeId contains a value.
    Access request creation

    Once the target user and account have been determined, the Application to Application service attempts to create the access request. Normal policy rules determine whether the attempt is successful.

Cloud Assistant

The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the SPP web application.

The Cloud Assistant feature is enabled when you join SPP to Starling. For more information, see Starling.. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

Go to Cloud Assistant:

  • web client: Navigate to Security Policy Management > Cloud Assistant.

The Cloud Assistant pane displays the following about the users authorized to use the feature.

Table 192: Cloud Assistant: Properties
Setting Description

Name

Name of the SPP user.

NOTE: This user must also be added as an approver in an access request policy.

Username

The username associated with the account.

Authentication Provider

The type of authentication provider.

Identity Provider

The name of the authentication provider for the account.

Domain Name

The name of the domain where the account it located.

Email Address

Valid email address for the authorized user.

Use these toolbar buttons to manage the users authorized to use Cloud Assistant.

Table 193: Cloud Assistant: Toolbar
Setting Description

Add

Add SPP users who are authorized to use this feature to approve (or deny) access requests.

NOTE: These same users must also be added as approvers in an access request policy.

Remove

Remove the selected user as an authorized user.

Refresh

Update the list of users authorized to use Cloud Assistant.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação