Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Assets

A Safeguard for Privileged Passwords asset is a computer, server, network device, or application managed by a Safeguard for Privileged Passwords Appliance.

It is the responsibility of the Asset Administrator (or delegated partition owner) to add assets and accounts to Safeguard for Privileged Passwords. The Auditor has permission to access Assets. Account owners also have read permissions for the Properties and Accounts tabs for the assets associated with their account.

Before adding assets to Safeguard for Privileged Passwords, you must ensure they are properly configured. For more information, see Preparing systems for management..

Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted.

All assets must be governed by a profile (for more information, see Assigning a profile to an asset). All new assets are automatically governed by the default profile unless otherwise specified.

An asset can only be in one partition at a time (for more information, see Assigning an asset to a partition). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition.

You can identify a default partition and default profile so that when you add assets, the assets are added to the default partition and default profile. For more information, see Setting a default partition..

Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in Safeguard for Privileged Passwords, see Asset Discovery job workflow.

Using a domain controller (DC) asset

You can manage tasks and services on a domain controller (DC) asset. Dependent accounts are managed on the DC asset. A DC asset will only support updating dependent passwords. Account passwords for a domain controller are managed via the directory asset.

  1. Create the DC asset as windows server platform, using a directory authentication for the connection service account. For more information, see Adding an asset.
  2. Ensure that the service account for the task/service you want to manage is defined in the Directory asset. For more information, see Adding an account to an asset..
  3. Add an account dependency for the service account to the DC asset. For more information, see Adding account dependencies..

Using Check Point GAiA

In addition to managing user accounts on the Check Point GAiA platform, Safeguard for Privileged Passwords can also manage the password for the Check Point expert command. The expert password appears as a normal user account in Safeguard for Privileged Passwords except that it is marked as a privileged account. This means that it cannot be used as a service account and you cannot generate or install an SSH key for the account.

The minimum requirements for choosing a service account for Check Point follow:

  • The service account for Check Point must have CLI access enabled and must have the following RBA features enabled:
    • read-write user
    • read-only group
  • In order to manage the expert password, the service account must also have the following RBA features enabled:
    • read-write expert-password-hash
    • read-write expert

To manage SSH keys, the service account must have a Unix shell configured as the login shell. If the UID is not 0, then sudo privileges will be required to elevate privileges.

Managing the enable password for Cisco IOS and ASA

In addition to managing user accounts, Safeguard can also manage the password for the Cisco enable command on Cisco IOS and ASA. The enable account appears as a normal user account in Safeguard, except that it is marked as a privileged account. This means that it cannot be used as a service account, and you cannot generate or install an SSH key for it.

The enable password is not automatically managed by Safeguard; it is only managed if an account named enable is created on the asset. Once this account is created, the enable password is removed from the asset connection properties (if configured) and can no longer be configured on the asset connection properties. To stop managing the enable password, remove the enable account from the asset which will restore the enable password to the asset connection information.

Safeguard manages the enable password for the default privilege level 15. Safeguard also provides the option to manage enable passwords for other privilege levels, by creating an account called enable<level> (for example, to manage the password for privilege level 10, create an account called enable10).

Assets view

To access Assets:

  • web client: Navigate to Asset Management > Assets. If needed, you can use the partition drop-down to select the parent partition of the asset. Select an asset, then click to display additional information and options.

The Assets view displays the following information about the selected system. Not all selections will be available for all assets.

  • Properties tab (asset): Displays general, management and connection settings for the selected asset.
  • Owners tab (asset): Displays information about the users and user groups that are owners of the asset (either assigned from this tab or from the ownership derived from a tag associated with this asset). This tab does not list partition owners that are also effective owners of this asset.
  • Accounts tab (asset): Displays the accounts associated with this asset.
  • Account Dependencies tab (asset): Windows only: Displays the directory accounts that the selected Windows server depends on to perform services and tasks.
  • Discovered Services tab (asset): Displays the details of each discovered service associated with the selected asset.
  • Discovered SSH Keys (asset): Displays the SSH keys discovered on the asset.
  • History tab (asset): Displays the details of each operation that has affected the selected asset.
Toolbar

Use these toolbar buttons to manage assets:

  • New Asset: Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset.
  • Delete: Remove the selected asset. When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.For more information, see Deleting an asset..
  • View Details: Select an asset then click this button to open additional information and options for the asset.
  • Access Request: Allows you to enable or disable access request services for the selected asset. Menu options include Enable Session Request and Disable Session Request.
  • SSH Host Key: Menu options include:
    • Discover SSH Host Key: This option only applies to assets that exchange SSH host keys, such as Unix-based assets and Linux-based assets. Retrieves the latest SSH host key for the selected asset. The Discover SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not discovered on the asset, certain tasks will not be available for accounts associated with the asset, such as Check System, Check Password, and Change Password.
    • Retrieve SSH Host Key: This option only applies to Cisco NX-OS assets, and is used to retrieve the latest SSH host key from the platform. The Retrieve SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not retrieved from the asset, sessions will not be available.
    • Set SSH Host Key: This option allows you to manually add the host key to an asset in cases where Safeguard for Privileged Passwords cannot discover the asset automatically (such as for an Other Directory asset).

    • Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key..
  • Test Connection: Select to verify that Safeguard for Privileged Passwords can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity..
  • Syncronize Now: Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.
  • Discover Accounts: Run the associated Account Discovery job. For more information, see Account Discovery..
  • Link Directory Parent: This option is only available for assets that are members of or joined to a directory, but not linked (which may occur if the asset was manually added to Safeguard for Privileged Passwords). Clicking this button will allow you to select the parent to which the asset will be linked.

    If the asset resides in a different partition than the parent directory, the Available for discovery across all partitions option must be enabled.

  • Enable-Disable: Select one of the following:

    Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.

  • Show Disabled: Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
  • Hide Disabled: Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
  • Import: Use this button to add assets to One Identity Safeguard for Privileged Passwords using a CSV file. For more information, see Importing objects.
  • Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.
  • Refresh: Update the list of assets.

Properties tab (asset)

The Properties tab lists information about the selected asset.

To access the Properties tab, in the web client, navigate to Asset Management > Assets > View Details > Properties.

Table 91: Properties tab: General properties

Property

Description

Name

The asset name. Assets that are part of a Directory have this automatically synchronized from the Directory.

Description

Description of the selected asset. Assets that are part of a Directory have this automatically synchronized from the Directory.

Table 92: Properties tab: Connection properties

Property

Description

Platform

The platform of the selected managed system.

Version

If applicable, the system version.

Architecture

If applicable, the operating system architecture.

Network Address

If applicable, the network DNS name or IP address of the managed system. Assets that are part of a Directory have this automatically synchronized from the Directory.

Authentication Type

How the console connects with the managed system. For more information, see Connection tab (add asset).

Login with service account name only

If applicable, selecting this option will allow Safeguard for Privileged Passwords to login the asset using only the service account name. The domain will not be used.

Telnet Session Port

If connecting to TN3270 or TN5250, the port for connection.

Manage Forest (directory)

If True, the whole forest is managed.

Forest Root Domain Name (directory)

The forest root domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain.

Managed Domains

If applicable, the managed domains.

Enable Session Request If True, session access requests are enabled for the asset.

Port

The port used for connection. Default is 22.

RDP Session Port If applicable, the access port on the target server used for RDP session access requests.
SSH Session Port If applicable, the access port on the target server used for SSH session access requests.

Telnet Session Port

If connecting to TN3270 or TN5250, the port for connection.

SSH Host Key Fingerprint

The managed system's public host key fingerprint used to authenticate to the asset.

When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures..

Sync additions every [number] minutes

If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the additions or modifications to objects. The date and time of the Last Sync, Last Failure Sync, and Last Success Sync display. The intervals are directory specific.

Sync deletions every [number] minutes

If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the deletion of objects. The date and time of the Last Delete Sync, Last Failure Delete Sync, and Last Success Delete Sync display. The intervals are directory specific.

Table 93: Properties tab: Management properties

Property

Description

Partition

The name of the partition where the selected asset resides.

Password Profile

The name of the profile that manages the asset's accounts.

When a password profile is inherited from the partition this will be indicated by the text (Inherited) next to the name of the password profile. When the password profile is explicitly set, a button will appear that allows you to clear the explicitly set password profile and instead use the password profile that is inherited from the partition.

NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified.

SSH Key Profile

The name of the profile that manages the asset's accounts.

When an SSH key profile is inherited from the partition this will be indicated by the text (Inherited) next to the name of the SSH key profile.

When the SSH key profile is explicitly set, a button will appear that allows you to clear the explicitly set SSH key profile. Once the cleared profile change is applied, the assigned inherited profile will be displayed. If there is no default SSH key profile designated for the partition, the asset will no longer have an SSH key profile assigned. If there is no SSH key profile explicitly set on the asset, the accounts on that asset will no longer have an SSH key profile assigned. Designating a default SSH key profile for the partition will ensure all assets and accounts in that partition have an inherited SSH key profile.

NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified.

Managed Network

The managed network that is assigned for work load balancing. For more information, see Managed Networks..

Available for discovery across all partitions

If True, this asset is read-access available for Asset Discovery jobs beyond partition boundaries.

Enable Session Request

If True, session access requests are enabled for the asset.

Table 94: Properties tab: Account Discovery properties

Property

Description

Account Discovery

Account discovery identifier.

Description

The description of the schedule.

Schedule

The account discovery schedule.

Last Successful Account Discovery

The date and time of the last successful account discovery.

Last Failed Account Discovery

The date and time of the last failed account discovery.

Next Account Discovery

The date and time for the next account discovery.

Last Successful Service Discovery

The date and time of the last successful service discovery.

Last Failed Service Discovery

The date and time of the last failed service discovery.

Next Service Discovery

The date and time for the next service discovery.

Tags: Tag assignments for the selected asset. The information listed in the Tags tab displays both the dynamic tags assigned to the asset through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags using this tab.

Delete: Click this button to delete the selected asset.

Accounts tab (asset)

An asset's Accounts tab displays the accounts associated with this asset.

Click New Account from the details toolbar to associate an account with the selected asset.

To access Accounts:

  • web client: Navigate to Asset Management > Assets > (View Details) > Accounts.
Table 95: Assets: Accounts tab properties
Property Description

Name

Name of an account associated with the selected asset.

While you can associate an account with only one asset, you can log in to an asset with more than one account.

Domain Name

The domain name for the account and helps to determine the uniqueness of accounts.

Password Profile

The name of the profile that manages the account.

SSH Key Profile

The name of the SSH key profile.

Service Account

A check in this column indicates that the account is a service account.

Password Request

A check in this column indicates that password release requests are enabled for the account.

Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account.

Session Request

A check in this column indicates that session access requests are enabled for the account.

Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account.

SSH Key Request

A check in this column indicates that SSH key release requests are enabled for the account.

Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account.

Disabled

A check in this column indicates that the asset is not managed, is disabled, and has no associated accounts.

Password

A check in this column indicates a password is set for the account. For more information, see Checking, changing, or setting an account password..

TOTP Authenticator

A check in this column indicates a TOTP Authenticator is set for the account. For more information, see Setting a TOTP authenticator.

SSH Key

A check in this column indicates an SSH key is set for the account. For more information, see Checking, changing, or setting an SSH key..

API Keys

A check in this column indicates an API key is set for the account. For more information, see For more information, see Checking, changing, or setting an SSH key..

JIT Privilege Group Membership

The name of one or more groups that have been configured to be assigned to the account at the time of checkout, then correspondingly removed from the account at the time of check-in. The assigned group membership acts as just-in-time (JIT) privilege elevation and demotion for the account.

Description

Descriptive information entered when the account was added.

Tags

The tags associated with the account

File request

A check in this column indicates that file release requests are enabled for the account.

File

A check in this column indicates a file is set for the account.

Use these buttons on the details toolbar to manage your asset accounts.

Table 96: Assets: Accounts tab toolbar
Option Description
New Account

Add accounts to the selected asset. For more information, see Adding an account to an asset..

Delete

Remove the selected account from the asset.

View Details

Edit the selected account.

Account Secrets

Menu options include:

  • Check Password
  • Change Password
  • Check SSH Key
  • Change SSH Key
  • Discover SSH Keys
  • Run the SSH Key Discovery job associated with the account. For more information, see SSH Key Discovery..
  • Access Requests

    Select an option to enable or disable access request services for the selected account. Values are derived from whether the platform of the asset indicates it supports any of the following: Password Request, SSH Key Request, Session Request. You can enable or disable Password Request, Session Request, and SSH Key Request, as needed.

    Service Accounts are created when the Asset is created and by default are not enabled for session or password access.

    Discovered Accounts are controlled by the Account Discovery template that is used in discovering the accounts. They are a property of the rule template of the Account Discovery job. For more information, see Adding an Account Discovery rule..

    Enable-Disable

    Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.

    Export

    Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

    Refresh

    Update the list of asset accounts.

    Search

    To locate a specific asset account or set of accounts in this list, enter the character string to be used to search for a match. For more information, see Search box..

    Account Dependencies tab (asset)

    The Account Dependencies tab displays the directory accounts that the selected Windows server depends on to perform services and tasks. The Account Dependencies tab is only applicable for a Windows platform when one or more directories have been added to Safeguard for Privileged Passwords.

    Click  Add Account from the details toolbar above the grid to associate account dependencies with the selected asset. For more information, see Adding account dependencies..

    To access Account Dependencies:

    • web client: Navigate to Asset Management > Assets > (View Details) > Account Dependencies.
    Table 97: Assets: Account Dependencies tab properties
    Property Description

    Name

    Name of a directory account.

    Directory

    The directory in which the account resides.

    Domain Name

    The forest root domain name for the directory.

    Distinguished Name

    The distinguished name for a directory account.

    Description

    Description of the dependent account.

    The toolbar includes the following:

    Table 98: Assets: Account Dependencies tab toolbar
    Option Description

    Add Account

    Add an account dependency to the selected asset.

    Remove Account

    Remove the account dependency from the asset.

    Refresh

    Update the list of account dependencies.

    Search

    To locate a specific account dependency in this list, enter the character string to be used to search for a match. For more information, see Search box..

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating