Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Modifying SSH key sync groups

desktop client only

You can make modifications to SSH key sync group including the accounts assigned.

To modify an SSH key sync group

  1. Navigate to Administrative Tools | Settings | SSH Key Management | SSH Key Sync Groups.
  2. Select the SSH key sync group, then click Edit.
  3. Modify the Name or Description, if desired.
  4. Click any column in the account list to sort the accounts.
  5. If Enable is selected, the sync runs with the profile change schedule. You cand select or deselect this check box.
  6. Perform any of the following account modifications:
    • Click Add to add an account to the SSH key sync group.
    • Click Remove Selected to remove the selected account from the SSH key sync group. This does not delete the account from Safeguard for Privileged Passwords.
    • Click Refresh to update the account list.
    • Click Sync Now to sync the selected SSH key to match the SSH key sync group. The Status follow:
      • Displays when the SSH key is in sync with the SSH key sync group.
      • Displays if the SSH key is not in sync with the SSH key sync group.

Security Policy Settings

In the web client, Security Policy Management has a settings page used to manage Sessions Password Access and the Audit Log Stream Service.

  • Navigate to Security Policy Management | Settings to manage the settings listed below.
    Table 251: Security Policy Settings
    Setting Description

    Session Password Access Enabled

    Use this toggle to enable or disable session password access. This feature is disabled by default.

    Audit Log Stream Service

    Use this toggle to send Safeguard for Privileged Passwords data to Safeguard for Privileged Sessions (SPS) to audit the Safeguard privileged management software suite. The feature is disabled by default.

    To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.

    SPP and SPS must be linked to use this feature. For more information, see SPP and SPS sessions appliance link guidance.

    While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.

    NOTE: This setting is also available under Appliance Management | Enable or Disable Services. For more information, see Enable or Disable Services settings.

  • Users

    A user is a person who can log in to Safeguard for Privileged Passwords. You can add both local users and directory users. Directory users are users from an external identity store such as Microsoft Active Directory. For more information, see Users and user groups. in Overview of the Entities.

    Your administrator permissions determine what you can view in Users. Users displayed in a faded color are disabled. The following table shows you the tabs that are available to each type of administrator.

    • Authorizer Administrator: General, History
    • User Administrator: General, User Groups (directory users only), History
    • Help Desk Administrator: General, History
    • Auditor: General, Owned Objects, User Groups, Entitlements, Linked Accounts, History
    • Asset Administrator: General, Owned Objects
    • Security Policy Administrator: General, User Groups, Entitlements, Linked Accounts, History

    The Authorizer Administrator typically controls the Enabled/Disabled state. For more information, see Activating or deactivating a user account.

    Go to Users:

    • web client: Navigate to Security Policy Management | Users
    • desktop client: Navigate to Administrative Tools | Users
    Users view

    The Users view displays the following information about a selected user:

    Toolbar

    Use these toolbar buttons to manage users:

    • Add User/New User: Add users to Safeguard for Privileged Passwords. For more information, see Adding a user.
    • Delete Selected /Delete: Remove the selected user. For more information, see Deleting a user.
    • ( web client only) View details: View and edit the details for a selected user.
    • Permissions: Display the Permissions dialog showing what administrative permissions apply to the selected user.
    • ( desktop client only) Import Users: Add users to Safeguard for Privileged Passwords. For more information, see Importing objects.
    • ( desktop client only) User Security: Menu options include: Set Password and Unlock accounts. For more information about these options, refer to Setting a local user's password and Unlocking a local user's account.
    • ( web client only) Set Password: Use this option to set a password for a local user.
    • ( web client only) Unlock: Use this option to unlock the account of a local user.
    • ( web client only) Activate User: Use this option activate the account of a selected user.
    • ( web client only) Deactivate User: Use this option to deactivate the account of a selected user.
    • Refresh: Update the list of users.
    • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box.

    General/Properties tab (user)

    The General/Properties tab lists information about the selected user.

    In the desktop client, large tiles at the top of the tab display the number of Owned Objects, User Groups, Entitlements, and Linked Accounts associated with the selected user, based on the user's permissions. Clicking a tile heading opens the corresponding tab.

    The tiles visible in the desktop client depend on your administrator permissions:

    • All tiles are visible to the Auditor.
    • Owned Objects tile is visible to Asset Administrator.
    • User Groups, Entitlements, and Linked Accounts tiles are visible to Security Policy Administrator.

    To access General/Properties:

    • desktop client: Navigate to Administrative Tools | Users | General.
    • web client: Navigate to User Management | Users | (Edit) | Properties.

    Table 252: Users General/Properties tab: Authentication properties
    Property Description

    Identity

     

    Identity Provider

    The source from which the user’s personal information comes from and is synchronized with.

    Username A user's display name.

    First Name

    The user's first name.

    Last Name

    The user's last name.

    Work Phone

    The user's work telephone number.

    Mobile Phone

    The user's mobile telephone number.

    Email The user's email address.

    ( web client only) Description

    The description text entered the user information was added or updated. This may be entered on the User dialog, Identity tab in the Description text box.

    ( web client only) Location

    User can change their time zone, by default. Or, the User Administrator can prohibit a user from changing the time zone, possibly to ensure adherence to policy. For more information, see Time Zone.

    Authentication

     
    Authentication Provider

    How the user authenticates with Safeguard for Privileged Passwords:

    • Certificate: with a certificate
    • Local: with a user name and password
    • Directory name: with directory credentials

    Login name

    The identifier the user logs in with.

    Domain Name

    If the primary Authentication Provider is a directory, this indicates the directory's domain name.

    Distinguished Name

    The distinguished name for authentication.

    Secondary Authentication

    If you set up a user to require secondary authentication, this indicates the name of this user's secondary authentication service provider.

    Secondary Authentication Username

    The name of the user account on the secondary authentication service provider required at log in.

    web client only: Password Never Expires

    When enabled, this field indicates the password associated with the user does not expire.

    web client only: User Must Change Password at Next Login

    When enabled, this field indicates the user will be prompted to change their password the next time they login.

    ( desktop client only) Location

     
    Time Zone

    User can change their time zone, by default. Or, the User Administrator can prohibit a user from changing the time zone, possibly to ensure adherence to policy. For more information, see Time Zone.

    Permissions

     
    Permissions

    Lists the user's administrator permissions or "Standard User" if user does not have administrative permissions.

    ( desktop client only) Description

     

    Description

    The description text entered the user information was added or updated. This may be entered on the User dialog, Identity tab in the Description text box.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating