Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.11 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Account Discovery

Account Discovery jobs include the rules Safeguard for Privileged Passwords uses to perform account discovery against assets. When you add an Account Discovery job, you can identify whether or not to automatically manage found accounts, whether to discover services, and whether to automatically configure dependent systems.

The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account.

To configure and schedule Account Discovery jobs, perform one of the following:

  • You can create or edit an Account Discovery job from Administrative Tools | Discovery | Account Discovery. Then, associate assets to the Account Discovery job via the Occurrences button.

    IMPORTANT: You must click Occurrences to associate assets to the Account Discovery job. If you do not associate the assets to the Account Discovery job, the accounts will not be found.

  • You can create or edit an asset and, in the process, assign or create an Account Discovery job. For more information, see Adding an asset.
Supported platforms

Safeguard for Privileged Passwords supports account discovery on the following platforms:

  • AIX
  • HP-UX
  • Linux / Unix (based)
  • MAC OS X
  • Solaris
  • Windows (services and tasks)
Properties and toolbar

Navigate to Administrative Tools | Discovery | Account Discovery.

Use these toolbar buttons to manage the Account Discovery jobs.

Table 73: Account Discovery: Toolbar
Option Description
Add

Add an Account Discovery job. For more information, see Adding an Account Discovery job.

Delete Selected

Delete the selected Account Discovery job.

Refresh

Update the list of Account Discovery jobs.

Edit

Modify the selected Account Discovery job. You can also double-click a row to open the edit dialog.

Discover Accounts

Discover the accounts on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays which shows the progress and completion.

Discover Services

Discover the services on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays which shows the progress and completion.

Details

View additional details about the selected Account Discovery job.

Occurrences

Add, delete, or refresh the assets associated with the Account Discovery job.

IMPORTANT: You must associate the assets to the Account Discovery job for the accounts to be found.

Search

Enter the character string to be used to search for a match. For more information, see Search box.

Account Discovery jobs display in the grid.

Table 74: Account Discovery: Account Discovery job grid
Name Name of the discovery job
Creator Indicates the source of the job, for example, Automated System or a specific administrator.
Discovery Type The type of discovery performed, for example, Windows, Unix, or Directory.
Directory The directory on which the discovery job runs.
Partition

The partition in which to manage the discovered assets or accounts.

Schedule

Designates when the discovery job runs.

Discover Services

A check mark displays if the job will discover service accounts.

Auto Configure

A check mark displays if the accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset.

Asset Count

Total number of assets assigned to the Account Discovery job. A Caution displays if no accounts are assigned to the Account Discovery job therefore no data will be discovered.

Double-click on an Account Discovery job to view the details.

Table 75: Account Discovery tab properties

Partition

The partition on which the Account Discovery job runs

Name The name of the Account Discovery job
Description

The description of the Account Discovery job

Discovery Type The type platform, for example, Windows, Unix, or Directory
Directory If applicable, the directory on which the selected Account Discovery job runs
Schedule The interval for the Account Discovery job to run
Rules
  • Name: Name of the discovery job
  • Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule.
  • Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
  • Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
  • Set default password: A check mark displays if the rule causes default passwords to be set automatically.
  • Assign to Profile: The partition profile assigned
  • Assign to Sync Group: A check mark displays if the rule automatically associated the accounts with a password sync group.
  • Enable Password Request: A check mark displays if the passwords is available for release.
  • Enable Session Request: A check mark displays if session access is enabled.

Account Discovery job workflow

Safeguard for Privileged Passwords's Account Discovery jobs discover accounts of the assets that are in the scope of a partition profile. For more information, see About partition profiles. Account Discovery jobs can include service discovery.

You can configure, schedule, test, and run Account Discovery jobs. After the job has run, you can select whether to manage the account, if it was not identified to be automatically managed.

  1. Create an Account Discovery job and associate assets or create an asset and associate the Account Discovery job.
  2. Account Discovery jobs can be scheduled to run automatically. In addition you can manually launch these jobs in any of the following ways:

  3. After the Account Discovery job runs, you can mark the managed accounts from Administrative Tools | Discovery | Discovered Accounts.

    • Click Disable to prevent Safeguard for Privileged Passwords from managing the selected account.
    • Click Enable to manage the selected account and assign it to the scope of the default profile.

    NOTE: The discovery job finds all accounts that match the discovery rule's criteria regardless of the state and reports only the accounts discovered that do not currently exist. Account Discovery does not update existing accounts.

Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the account discovery events in the Account Discovery Activity category.

Adding an Account Discovery job

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account Discovery job workflow.

To add an Account Discovery job

  1. Navigate to Administrative Tools | Discovery | Account Discovery.
  2. Click  Add to open the Account Discovery dialog.
  3. Provide the following:
    1. Partition: Browse to select a partition.
    2. Name: Enter a name for the account discovery job. Limit: 50 characters.

    3. Description: Enter descriptive text about the account discovery job. Limit: 255 characters

    4. Discovery Type: The platform, for example, Windows, Unix, or Directory. Make sure the Discovery Type is valid for the assets associated with the Partition selected earlier on this dialog.
    5. Directory: If the Discovery Type is Directory, select the directory on which the Account Discovery job runs.
    6. Click the Schedule button and choose an interval for to run the Account Discovery job.

      In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

      • Configure the following.

        To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

        • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
        • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

        • Days: The job runs on the frequency of days and the time you enter.

          For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

        • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

          For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

        • Months: The job runs on the frequency of months at the time and on the day you specify.

          For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

      • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

        For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

        Enter Every 10 Minutes and Use Time Windows:

        • Start 10:00:00 PM and End 11:59:00 AM
        • Start 12:00:00 AM and End 2:00:00 AM

          An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

        If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

        For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

        For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

      • Time Zone: Select the time zone.
    7. Rules: You can add, delete, edit or copy rules. For more information, see Adding an Account Discovery rule.
    8. Discover Services: (For Windows accounts only and deselected by default.) Select this check box so that when the discovery job is run, services are discovered and can be viewed in by clicking the Discovered Services tile. For more information, see Discovered Services.

      For more information, see Adding an Account Discovery job.

      Automatically Configure Dependent Systems: (For Windows accounts only and deselected by default.) Select this check box so that any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. The dependencies are listed on Administrative Tools | Assets | Account Dependencies. If you clear the check box and run the account discovery job again, the dependencies are not removed. Dependencies can be manually removed from Administrative Tools | Assets | Account Dependencies. For more information, see Account Dependencies tab (asset).

  4. Click OK.
  5. Select the assets to which the account discovery rule applies using one of these approaches:

Adding an Account Discovery rule

Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.

You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.

NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.

For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.

All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.

To add an Account Discovery rule

  1. On the Account Discovery dialog, click  Add Discovery Rule to open the Account Discovery Rule dialog.
  2. Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
  3. Find By: Select one of the types of search below.
    If the Discovery Type on the previous Account Discovery dialog is Windows or Unix, you can search by Property Constraint or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
      • Name: Select this option to search by account name.
        • For a regular search (not directory), in Contains enter the characters to search.
        • If you are searching a directory:
          • Select Start With or Contains and enter the characters used to search subset within the forest.
            When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • Select Include objects from sub containers to include sub containers in the search.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Group: Select this option to search by group name.
        • Click  Add to launch the Group dialog.
        • Starts withor Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

        • Filter Search Location. Click Browse to select a container to search within the directory.
        • Include objects from sub containers: Select this check box to include child objects.
        • Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
        • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Property Constraint: Select this option to search for accounts based on an account's property. Available Unix properties are GID, UID, Name, and Group. Available Windows and Directory properties are RID, GID, UID, Name, and Group. All are limited to 255 numeric characters.

        IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.

        • Selections:

          • RID (ranges): RID property only applies to Windows and Microsoft Active Directory. Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1000 and press Enter. Then type in 5000-7000 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.
          • GID (ranges): Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 8 and press Enter. Type in 10-12 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.

          • UID (ranges): Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1 and press Enter. Then type in 5-7 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.

          • Name (ranges): Using Name (ranges) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name. For an OpenLDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.

          • Group (ranges): Using Group (ranges) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name. For an OpenLDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions.

        • If you are searching a directory:
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • To include sub containers in your search, select Include objects from sub containers.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
    • LDAP Filter: Select this option to search for accounts using an LDAP query. Type an LDAP query into the field.
    • Find All: This option is selected by default and will find all accounts based on the rules.
      • If you are searching a directory:
        • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
        • To include sub containers in your search, select Include objects from sub containers.
        • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
  4. Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
  5. Assign to Sync Group: Click Browse to select a password sync group to control password validation and reset across all associated accounts. For more information, see Password sync groups.
  6. Assign to Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a profile to identify the configuration settings for the discovered accounts. About partition profiles.
  7. Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
  8. Enable Session Request:This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.
  9. (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
  10. Click OK. The Accounts Discovery dialog displays a list of the rules for this Account Discovery job.
  11. Click OK to save the Account Discovery job.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating