Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11.2 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Access Config tab

Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 90: Access Request Policy: Access Config tab properties

Property

Description

Access Type

This is a read-only field displaying the type of access selected on the General tab:

  • Password
  • SSH
  • RDP
  • Telnet

Include password release with sessions requests

If Access Type is SSH, RDP, or Telnet, select this check box to include a password release with session access requests.

Terminate expired sessions

If Access Type is SSH, RDP, or Telnet, select this check box to terminate sessions that have expired.

Change password after check-in

Select this check box if the password is to be changed after the user checks it back in. For password release requests, this option is selected by default.

Allow simultaneous access

Select this check box to allow multiple users access to the accounts and assets governed by this policy. Use the next check box to identify how many users can have access at once.

Maximum users at one time

When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time.

Asset-Based Session Access

If Access Type is SSH, RDP, or Telnet, select one of the following options to define the type of account credentials to be used to access the asset or account when a session is requested:

  • None (default): The credentials are retrieved from the vault when the session is requested.
  • User Supplied: The requester user must provide the credentials when the session is requested.
  • Linked Account: The requester user's account is linked to an asset account that will be used when the session is requested.

  • Directory Account: Use the Browse button to select one or more directory accounts to be used when the session is requested.

    If the Directory Account was migrated from an SPP version prior to 2.7, the directory account identifier may be blank, because earlier SPP versions understood only one assignment and version 2.7 results in multiple assignments.

Allow password access to linked accounts

If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user’s linked account is governed by the other configurations defined in this policy. For more information, see Linked Accounts tab (user).

Session Settings tab

External sessions module

You select the one cluster or appliance to which the policy applies.

  1. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy), then the Session Settings tab.
  2. If you see a message like No SPS connection policies found., you may have selected a policy with an invalid connection policy. For more information, see Access Request Policies tab.
  3. In SPS Connection Policy, select the cluster or appliance to which the policy applies.
    • The default is safeguard_default.
    • If you are using telnet with SPS, the telnet Connection Policy created in SPS is available.
    • Select Sps Initiate if the access policy is for use by Safeguard for Privileged Sessions (SPS) to create an SPS initiated Access Request.
    • For other policies, the host name and IP address of the cluster master is displayed first followed by the SPS cluster description.

    If a policy is not functional, you will see the Warning icon next to a selection.

    You can view the network segments that can be serviced by specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) Appliances within a clustered environment. For more information, see Managed networks.

Embedded sessions module

If you are using the embedded sessions module for Safeguard for Privileged Passwords, use the Session Settings tab to configure the settings for session access requests (below). The settings on this tab only apply to RDP and SSH (session) access requests.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

 

Table 91: Access Request Policy: Sessions Settings tab properties

Property

Description

Record sessions

For SSH and RDP, this check box is selected by default, indicating that all sessions for the accounts and assets governed by this policy are to be recorded.

Enable Command Detection (SSH)

For SSH session requests, select the Enable Command Detection check box to enable command detection, which means commands that are executed on the target host are detected and logged.

SSH Controls

If SSH is selected as the access type on the General tab, select one or more of the following options to create a session that uses the specified protocol:

  • Allow SFTP (Secure File Transfer)
  • Allow SCP (Secure Copy)
  • Allow X11 Forwarding (Forwards the graphical X-server session from the server to the client.)

NOTE: The data transferred during a session using one of these protocols is currently not available for play back in this initial release of Safeguard.

Enable Windows Title Detection (RDP)

For RDP session requests, select the Enable Windows Title Detection check box to enable windows title detection, which means the titles of all windows opened on the desktop during a privileged session are detected and logged.

You can configure Safeguard for Privileged Passwords to send these actions to a syslog server, in an email message, or via an SNMP trap. For more information, see External Integration settings.

RDP In-Session Controls

If RDP is selected as the access type on the General tab, select the following option if you want to allow the user to transfer data via the clipboard:

  • Allow Clipboard

Selecting this option allows the users to copy a file or text from the client machine and paste it to the remote server. The data copied during a session using this option is currently not available for play back in this initial release of Safeguard.

Time Restrictions tab

Use the Time Restrictions tab to specify time restrictions for the access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 92: Access Request Policy: Time Restriction tab properties
Property Description
Use Time Restrictions

Select this option to specify time restrictions for access requests for accounts and assets governed by this policy.

Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see About time restrictions.

Daily calendar

Select and drag the days and hours you want to allow the policy to be effective.

Reset

Click Reset to remove any time restrictions set in the daily calendar.

Emergency tab

Use the Emergency tab to enable emergency access for the accounts and assets governed by the access request policy.

Table 93: Access Request Policy: Emergency tab properties
Property Description

Enable Emergency Access

Select this check box to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access.

Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset.

Notify When Account is Released with Emergency access | To

(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user.

If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

You can enter email addresses for non-Safeguard for Privileged Passwords users.

To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Important:Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

Ignore Time Restrictions

This check box is selected by default, indicating that Safeguard for Privileged Passwords is to ignore time restrictions when a user requests emergency access. Clear this check box if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period.
Related Documents