Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11.2 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Adding an Account Discovery rule

Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.

You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.

Note: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.

For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.

All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.

To add an Account Discovery rule

  1. On the Account Discovery dialog, click  Add Discovery Rule to open the Account Discovery Rule dialog.
  2. Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
  3. Find By: Select one of the types of search below.
    If the Discovery Type on the previous Account Discovery dialog is Windows or Unix, you can search by Property Constraint or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
      • Name: Select this option to search by account name.
        • For a regular search (not directory), in Contains enter the characters to search.
        • If you are searching a directory:
          • Select Start With or Contains and enter the characters used to search subset within the forest.
            When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • Select Include objects from sub containers to include sub containers in the search.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Group: Select this option to search by group name.
        • Click  Add to launch the Group dialog.
        • Starts withor Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

        • Filter Search Location. Click Browse to select a container to search within the directory.
        • Include objects from sub containers: Select this check box to include child objects.
        • Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
        • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
      • Property Constraint: Select this option to search for accounts based on an account's property. Available Unix properties are GID, UID, Name, and Group. Available Windows and Directory properties are RID, GID, UID, Name, and Group. All are limited to 255 numeric characters.

        IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.

        • Selections:

          • RID (ranges): RID property only applies to Windows and Microsoft Active Directory. Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1000 and press Enter. Then type in 5000-7000 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.
          • GID (ranges): Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 8 and press Enter. Type in 10-12 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.

          • UID (ranges): Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1 and press Enter. Then type in 5-7 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.

          • Name (ranges): Using Name (ranges) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name. To use, enter a single regular expression pattern. For more information, see Regular expressions.

          • Group (ranges): Using Group (ranges) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name. To use, enter a single regular expression pattern. For more information, see Regular expressions.

        • If you are searching a directory:
          • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
          • To include sub containers in your search, select Include objects from sub containers.
          • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
    • LDAP Filter: Select this option to search for accounts using an LDAP query. Type an LDAP query into the field.
    • Find All: This option is selected by default and will find all accounts based on the rules.
      • If you are searching a directory:
        • Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
        • To include sub containers in your search, select Include objects from sub containers.
        • Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
  4. Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
  5. Assign to Sync Group: Click Browse to select a password sync group to control password validation and reset across all associated accounts. For more information, see Password sync groups.
  6. Assign to Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a profile to identify the configuration settings for the discovered accounts. About partition profiles.
  7. Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
  8. Enable Session Request:This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.
  9. (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
  10. Click OK. The Accounts Discovery dialog displays a list of the rules for this Account Discovery job.
  11. Click OK to save the Account Discovery job.

Editing an Account Discovery job

Changing the assets associated with an Account Discovery job

To change the assets associated with an Account Discovery job, perform on of the following:

  • From Account Discovery:
    1. Go to Administrative Tools | Discovery | Account Discovery.
    2. Select the Account Discovery job.
    3. Click Occurrences.
    4. Add the asset to the job.
  • From Assets:
    1. Go to Administrative Tools | Assets.
    2. Click the the asset.
    3. On the General tab, go to Account Discovery and click Edit.
    4. In the Description drop-down, select the Account Discovery job. For more information, see Account Discovery tab (add asset).
  • From Partitions:
    1. Go to Administrative Tools | Partitions.
    2. Select the partition.
    3. Click the Assets tab.
    4. From the list of assets in the partition, double-click the asset.
    5. Scroll to Account Discovery and click Edit.
    6. In the Description drop-down, select the Account Discovery job. For more information, see Account Discovery tab (add asset).

Changing the settings for an Account Discovery job

You can change the settings for an Account Discovery job

  1. Navigate to Administrative Tools |Discovery.
  2. Click the Account Discovery tile.
  3. Select an Account Discovery job.
  4. Click Edit to update the selected Account Discovery job. For more information, see Adding an Account Discovery job.
  5. Make the updates.
  6. Click OK.

Deleting an Account Discovery job

You can delete an Asset Discovery job.

  1. Navigate to Administrative Tools |Discovery.
  2. Click the Asset Discovery tile.
  3. Click Delete to delete the selected Asset Discovery job.
  4. Click OK.

Account Discovery Results

You can view the results of running one or more Account Discovery jobs. To see the results of discoveries, see Discovered Accounts

  1. Navigate to Administrative Tools | Discovery and click the Account Discovery Results tile.
  2. On the Account Discovery Results grid:
    • Click Refresh to refresh the results.
    • Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
  3. Click Search and enter the character string to be used to search for a match. For more information, see Search box.
  4. View the following information displays for each job:
    • User: The user who ran the job or Automated System, if the job is run on an automated schedule.

    • Date: The most recent date the Account Discovery job successfully ran.
    • Asset: The asset which is associated with the Account Discovery job.
    • Event: The outcome of running the Account Discovery job event, which may be Account Discovery Succeeded, Account Discovery Failed, or Account Discovery Started.
    • Partition: The partition in which the discovered accounts will be managed.
    • Profile: The partition profile which will govern the discovered accounts.
    • Account Discovery Job: Name of the discovery schedule.
    • Appliance: The name of the Safeguard for Privileged Passwords Appliance.
    • # Accounts Found: The number of accounts found during the discovery job.
  5. For additional detail on an Account Discovery job result, double-click the result row to view the Account Discovery Results pop-up window. On this window, click # of Accounts Found to see a list of the accounts.
Related Documents