Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Manually override automatic Offline Workflow

Use the Offline Workflow page to manually enable offline workflow or resume online operations.

For details on either of these operations, see Manually control Offline Workflow Mode.

Before resuming online operations, see Considerations to resume online operations.

To manually Enable Offline Workflow

This option is only available when the appliance has lost consensus with the cluster.

  1. Go to Enable Offline Workflow:
    • web client: Navigate to Cluster > Offline Workflow.
  2. Click Enable Offline Workflow to manually trigger Offline Workflow Mode.
  3. In the dialog box, type in Enable Offline Workflow and click Enter. The appliance is in Offline Workflow Mode and enters maintenance. 
  4. You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management..

To manually Resume Online Operations

  • This option is only available when the appliance is in Offline Workflow Mode.
    1. Go to Offline Workflow:
      • web client: Navigate to Cluster > Offline Workflow.
    2. Click Resume Online Operations to manually trigger moving the appliance from Offline Workflow Mode back to online operations.
    3. In the dialog box, type in Resume Online Operations and click Enter.
    4. When maintenance is complete, select to restart. The appliance is returned to Maintenance mode.
    5. You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management..
  • Session Appliances with Safeguard for Privileged Sessions link

    The Asset Administrator can link a Safeguard for Privileged Sessions (SPS) cluster to a SPP (SPP) cluster of one appliance or more for session recording and auditing. The actual link must be between the SPP primary and the Safeguard for Privileged Sessions cluster master. This means that the Safeguard for Privileged Sessions cluster is aware of each node in an SPP cluster and vice-versa.

    Once linked, all sessions are initiated by the SPP appliance via an access request and managed by the Safeguard for Privileged Sessions appliance and sessions are recorded via the Sessions Appliance.

    CAUTION: When linking your Safeguard for Privileged Sessions (SPS) deployment to your SPP (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.

    Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0.1 to an SPP version 6.1.

    NOTE: If you have a single node Safeguard for Privileged Sessions cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one Safeguard for Privileged Sessions appliance in the cluster that is capable of recording sessions. See the One Identity Safeguard for Privileged Sessions Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.

    Safeguard for Privileged Passwords link guidance

    Before initiating the link, review the steps and considerations in the link guidance. For more information, see For more information, see SPP and Safeguard for Privileged Sessions appliance link guidance..

    Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.

    CAUTION: Do not switch the role of a Safeguard for Privileged Sessions node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the Safeguard for Privileged Sessions web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about Safeguard for Privileged Sessions nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.

    Standard operating procedure after the initial link

    If you add another Safeguard for Privileged Sessions cluster after the initial link, follow these standard operating procedures:

    1. Add link connections. See Viewing, deleting, or editing link connections.

    2. Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy

    3. Assign the managed networks. For more information, see For more information, see Managed Networks..

    4. Enable the Session Access Enabled toggle.

    If the Safeguard for Privileged Sessions Central Management node is down

    SPP continues to launch sessions on the managed hosts when the Safeguard for Privileged Sessions Central Management node is down. However, as long as the Central Management node is down, SPP cannot validate existing policies nor can it validate the Safeguard for Privileged Sessions cluster topology. For more information, see Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster in the One Identity Safeguard for Privileged Sessions Administration Guide.

    Viewing, deleting, or editing link connections

    Once the link is complete, in the web client, navigate to go to Cluster > Session Appliances.

    The Session Appliances pane displays the following session details.

    Table 42: Session Appliances: Properties
    Property Description

    Host Name

    The host name of the Safeguard for Privileged Sessions appliance host cluster master.

    Managed Hosts

    Other nodes in the Safeguard for Privileged Sessions cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown.

    Network Address

    The network DNS name or IP address of the session connection.

    Connection User

    The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name.

    Thumbprint

    A unique hash value that identifies the certificate.

    Description

    (Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node).

    Double-click a Host Name row to bring up the Session Module Connection dialog.

    Table 43: Session Module Connection: Properties
    Property Description

    Node ID

    The name of the Safeguard for Privileged Sessions Appliance used to authenticate the linked SPS session connection.

    Host Name

    The host name of the Safeguard for Privileged Sessions appliance host cluster master.

    Connection User name

    The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name.

    Description

    (Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node).

    Network Address

    The network DNS name or IP address of the session connection.

    Use Host Name For Launch (not IP address)

    If checked, the connection string used to launch a session uses the host name of the Safeguard for Privileged Sessions appliance rather than the IP address.

    Use these toolbar buttons to manage sessions.

    Table 44: Sessions Management: Toolbar
    Option Description

    Remove

    Remove the selected linked Safeguard for Privileged Sessions session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete.

    Edit

    Modify the selected linked Safeguard for Privileged Sessions session connection Description or Network Address on the Session Module Connection dialog.

    Refresh

    Update the list of linked Safeguard for Privileged Sessions session connections.

    Connection deletion: soft delete versus hard delete

    Depending on your goals, you can perform a soft delete or a hard delete.

    Soft delete the connection

    When a session connection is deleted, the connection information is soft deleted so that a relink of the same Safeguard for Privileged Sessions appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a relink avoids "breaking" all of the Access Request Polices that referenced the previous session connection.

    Hard delete the connection

    A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a relink is not desired or retaining the previous session connection values is preventing a Safeguard for Privileged Sessions appliance from linking or relinking.

    A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.

    Hard delete with PowerShell

    The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete:

    split-safeguardSessionCluster -SessionMaster <name or ID of session master>

    Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>

    For more information, see OneIdentity/safeguard-ps.

    Hard delete with Swagger

    To perform hard deletion with Swagger

    1. In a browser, navigate to https://<your-ip-address>/service/core/swagger.

    2. Authenticate to the service using the Authorize button.

    3. Navigate to Cluster->GET /v4/cluster/SessionModules and click Try it out!.

    4. Identify if the unwanted session connection exists on the list:

      1. If the unwanted session connection exists in the list, then:

        1. Note the ID of the session connection.

        2. Navigate to Cluster DELETE /v4/cluster/SessionModules.

        3. Enter the ID.

        4. Click Try it out!.

        5. Go to step 3.

      2. If the unwanted session connection does not exist in the list, then:

        1. Set the includeDisconnected parameter to true.

        2. Click Try it out!.

        3. If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.

    5. The process is complete and the session connection is permanently removed.

    Global Services

    One Identity Safeguard for Privileged Passwords allows you to enable or disable SPP services from the Global Services page.

    By default, services are disabled for service accounts and for accounts and assets found as part of a discovery job. Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.

    It is the responsibility of the Appliance Administrator to manage these settings.

  • Navigate to Global Services to see the settings listed below.
    • Appliance Administrators can click the Disable All button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services.
    • Click a toggle to change a setting: toggle on and toggle off.
    • Click Refresh to update the information on the page.
    Table 45: Global Services settings

    Setting

    Description

    Disable All

    Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually.

    Requests

    Session Requests

    Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.

    Click the Session Requests toggle to disable this service so sessions can not be requested.

    NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.

    In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details.

    Password Requests

    Password requests are enabled by default, indicating that authorized users can make password release requests

    Click the Password requests toggle to disable this service so passwords can not be requested.

    NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

    SSH Key Requests

    SSH key requests are enabled by default, indicating that authorized users can make SSH key release requests

    Click the SSH Key requests toggle to disable this service so SSH keys can not be requested.

    NOTE: Disabling the SSH Key request service will place any open requests on hold until this service is reenabled.

    API Key Requests

    API key requests are enabled by default, indicating that authorized users can make API key release requests

    Click the API Key requests toggle to disable this service so API keys can not be requested.

    NOTE: Disabling the API Key request service will place any open requests on hold until this service is reenabled.

    Password Management

    Check Password Management

    Check password management is enabled by default, indicating that SPP automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.

    Click the Check password management toggle to disable the password validation service.

    NOTE:SPP enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, SPP allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    Change Password Management

    Change password management is enabled by default, indicating that SPP automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.

    Click the Change password management toggle to disable the password reset service.

    NOTE:SPP enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, SPP allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    SSH Key Management

    Check SSH Key

    SSH key check is enabled by default, indicating that SSH key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Check SSH Key toggle to disable the check service.

    Change SSH Key

    SSH key change is enabled by default, indicating that SSH key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Change SSH Key toggle to disable the change service.

    API Key Management

    Check API Key

    API key check is enabled by default, indicating that API key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Check API Key toggle to disable the check service.

    Change API Key

    API key change is enabled by default, indicating that API key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Change API Key toggle to disable the change service.

    Discovery

    Asset Discovery

    Asset discovery is enabled by default, indicating that available Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. For more information, see Discovery.

    Account Discovery

    Account discovery is enabled by default, indicating that available Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. For more information, see Discovery.

    Service Discovery

    Service discovery is enabled by default, indicating that available Service Discovery jobs find Windows services that run as accounts managed by Safeguard. For more information, see Discovery..

    SSH Key Discovery

    SSH key discovery is enabled by default. With the toggle on, SSH keys in managed accounts are discovered. For more information, see SSH Key Discovery..

    Directory

    Directory Sync

    Directory sync is enabled by default, indicating that additions or deletions to directory assets are synchronized. You can set the number of minutes for synchronization. For more information, see Management tab (add asset).

    Audit Log Stream

    Audit Log Stream Service

    Use this to send SPP data to Safeguard for Privileged Sessions to audit the Safeguard privileged management software suite. The feature is disabled by default.

    To accept SPP data, the Safeguard for Privileged Sessions Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.

    SPP and Safeguard for Privileged Sessions must be linked to use this feature. For more information, see SPP and Safeguard for Privileged Sessions appliance link guidance.

    While the synchronization of SPP and Safeguard for Privileged Sessions is ongoing, Safeguard for Privileged Sessions is not guaranteed to have all of the audit data at any given point due to some latency.

    NOTE: This setting is also available under Security Policy Management > Settings. For more information, see Security Policy Settings.

    SCIM Provisioning

    SCIM Provisioning

    Use this toggle to enable or disable SCIM provisioning on the appliance. For more information, see Adding identity and authentication providers.

    Application to Application

    Application to Application

    Use this toggle to enable or disable the application to application connection behind a web application firewall via the TLS termination reverse proxy.

    The following configuration information is displayed and can be updated using the button:

    • TLS Termination Reverse Proxy Subnet (CIDR format): The subnet for the TLS termination reverse proxy.

    • Service Port: The service port used for connecting. By default this is port 443.

    R
    Table 46: Global Services settings
    Setting Description

    Disable All

    Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually.

  • Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating