Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.9 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Modifying an entitlement

To modify an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement.
  3. Select the view of the entitlement's information you want to modify (General, Users, or Access Request Policies).

    For example:

    • To change the selected entitlement's name, description, or time restrictions, double-click the General information on the General tab or click the  Edit icon.

      NOTE: You can also double-click an entitlement name to open the General settings edit window.

    • To add authorized requesters to the selected entitlement, switch to the Users tab.

      For more information, see Adding users or user groups to an entitlement.

    • To modify an access request policy, switch to the Access Request Policies tab.

      For more information about access request policy details, see Creating an access request policy.

  4. To view or export the details of each operation that has affected the selected entitlement, switch to the History tab. For more information, see History tab.

Deleting an entitlement

IMPORTANT: When you delete an entitlement, Safeguard for Privileged Passwords deletes all access request policies associated with that entitlement.

To delete an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement from the object list.
  3. Click Delete Selected.
  4. Enter the name of the entitlement to confirm you want to delete the entitlement.

Partitions

A partition is a named container for assets that can be used to segregate assets for delegated management. It is the responsibility of the Asset Administrator to add partitions to Safeguard for Privileged Passwords. Partitions allow you to set up multiple asset managers, each with the ability to define password guidelines for the managed systems in their own workspace. Typically, you partition assets by geographical location, owner, function, or by operating system. For example, Safeguard for Privileged Passwords can enable you to group Unix assets in a partition and delegate the Unix administrator to manage it. Every partition should have a partition owner. For more information, see Adding a partition.

You must assign all assets, and the accounts associated with them, to a partition. By default, Safeguard for Privileged Passwords assigns all assets and their associated accounts to the default partition, but you can set a different partition as the default.

Navigate to Administrative Tools | Partitions to display the following information about the selected partition.

Use these toolbar buttons to manage partitions.

About partition profiles

The partition profile includes the schedules and rules governing the partition’s assigned assets and the assets' accounts. For example, the partition profile defines how often a password check is required on an asset or account.

A partition can have multiple partition profiles, each assigned to different assets, if desired. An account is governed by only one profile. If an account is not explicitly assigned to a profile, the account is governed by the one assigned to the parent asset. If that asset does not have an assigned profile, the partition's default profile is assigned. When updating or restarting a service on a password change, the profile assigned to the asset is used for dependent account service modifications. For more information, see Adding change password settings.

When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. You can create multiple profiles to govern the accounts assigned to a partition. Both assets and accounts are assigned to the scope of a profile.

For example, suppose you have an asset with 12 accounts and you configure the partition profile to check and change passwords every 60 days. If you want the password managed for one of those accounts every seven days, you can create another profile and add the individual account to the new profile. Now, Safeguard for Privileged Passwords will check and change all the passwords on this asset every 60 days except for this account, which will change every seven days.

Implicit and explicit association

It is important to understand the difference between implicit and explicit assignments to a profile.

Implicit associations

Safeguard for Privileged Passwords makes implicit assignments. For example, when you add an asset to Safeguard for Privileged Passwords, it automatically adds the asset to the default partition and assigns it to the scope of the default profile. This is called implicit association. Assets implicitly inherit the partition's default profile. Similarly, accounts inherit their parent asset’s profile. That means when you add an account to an asset, Safeguard for Privileged Passwords implicitly adds that account to its asset’s profile.

Later, if you reassign the asset to another profile, Safeguard for Privileged Passwords automatically reassigns all of the asset’s associated accounts to the new profile.

Explicit associations

Safeguard for Privileged Passwords allows you to explicitly add an asset or an account to a specific profile. When you explicitly assign an asset to a profile, it overrides the implicit inheritance from the partition so the asset's profile is no longer determined by its partition. Similarly, when you explicitly assign an account to a profile, Safeguard for Privileged Passwords overrides the implicit inheritance from the asset and the account’s profile is no longer determined by its asset.

Now, if you reassign the asset to another profile, Safeguard for Privileged Passwords will not reassign the asset’s associated accounts that were explicitly assigned to the old profile.

Resetting the default profile

If you set another profile as the default, Safeguard for Privileged Passwords implicitly reassigns all assets and their associated accounts to that new default, but it will not reassign any assets or accounts that you have explicitly assigned to a profile. Once the implicit inheritance is broken, changing a partition's default profile has no effect on the scope of a profile. For more information, see Setting a default partition profile.

Related Topics

Assigning assets or accounts to a profile

Assigning a profile to an asset

Account Password Rules

How do I manage accounts on unsupported platforms

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating