One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
Access requests proceed regardless of the review state of an earlier request (TFS 805354/DevOps 191598)
Policy Administrators can choose to allow subsequent access requests to proceed even if the required review on a previous access request is incomplete. This prevents blocking a new session request when the prior request requires a review and the review is not done. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy) | Reviewer tab. For more information, see Reviewer tab.
Audit history for passwords and sessions (TFS 797263/DevOps 191549)
In preparation for a future release of Safeguard for Privileged Sessions, a toggle has been added to allow the Safeguard for Privileged Passwords Appliance Administrator to push audit data to SPS. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services. For more information, see Enable or Disable Services .
Azure to run in the cloud (191524)
Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace.
Generic ticket system without ticket system validation (TFS 794519/Dev Ops 191534)
Policy Administrators can require requesters to reference a ticket number in their password or session access request. Tickets do not have to be validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request and serves as a reference visible in the Activity Center. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems. In Type, select Other. For more information, see Ticketing systems.
Support dynamic grouping for assets based on Active Directory groups (TFS 806225/ DevOps 191499)
Implementers can create tags / asset groups based on any Active Directory group of which the asset is a member unrelated to discovery.
For account or asset groups, use the rule editor controls on:
- Account Rules tab of the Dynamic Account Group dialog
- Asset Rules tab of the Dynamic Asset Group dialog
To add a dynamic tag for an asset or asset account, use the New button on the Tags pane in the Settings | Asset Management settings page.
Web client (TFS 795288/DevOps 200361)
The Safeguard for Privileged Passwords web client provides a web-based user interface that can be used instead of the desktop client for the request workflow and some administration functions.
Requesters use the web client to:
- Search for and request password access, session access, or both.
- Concurrently request access to multiple passwords and sessions.
- Create and use a favorite to quickly access the common access requests.
Reviewers use the web client to review requests.
Approvers use the web client to:
- See the access requests awaiting approval.
- See which access requests require immediate attention.
- View the details of each access request.
- Approve or deny an access request.
- Select multiple access requests to approve or deny at the same time.
- Return to an approved, active access request and revoke the request.
Administrators can also use the web client to:
- Configure time, network, and license.
- Shutdown or reboot the appliance
For more information, see Using the web client.
Windows SSH platform (TFS 792427/DevOps 191511)
Safeguard for Privileged Passwords can utilize SSH to connect to the target Windows asset and run commands to manage standard platform tasks. Using SSH only requires opening a single well known SSH port. OpenSSH is the recommended connectivity tool; however, other SSH servers may also work. Windows SSH assets support both SSH password and SSH session access requests. From Administrative Tools | Assets | Management tab, you can select the Product as Windows SSH and the Version.
When configuring the SSH service on the asset, it is recommended to use automatic (versus manual) startup. You can also set the default shell to PowerShell. You can control this by going to HKLM\SOFTWARE\OpenSSH and creating a new string value called "DefaultShell and setting it to C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
The One Identity Safeguard for Privileged Passwords 2000 Appliance specifications and power requirements are as follows.
Table 3: Safeguard 2000 Appliance: Feature specifications
||Intel Xeon E3-1275v5 3.60 GHz|
|# of Processors
|# of Cores per Processor
||4 x 256KB L2, 8MB L3 SmartCache|
||Intel C236 Chipset|
||DDR4-2400 ECC Unbuffered DIMMs|
|Internal HD Controller
||LSI MegaRAID SAS 9391-4i 12Gbps SAS3|
||4 x Seagate EC2.5 1TB SAS 512e|
||TPM 2.0, EEC Memory, Redundant PSU|
||x16 PCIe 3.0, x8 PCIe 3.0|
||3 x Intel i210-AT GbE|
||Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible|
||4 x 40mm Counter-rotating, Non-hot-swappable|
43 x 437.0 x 597.0 (mm)
1.7 x 17.2 x 23.5 (in)
||Max: 46 lbs (20.9 Kg)|
||FIPS Compliant Chassis|
Table 4: Safeguard 2000 Appliance: Power requirements
|Power Consumption (Watts)
One Identity Safeguard for Privileged Passwords has several graphical user interfaces that allow you to manage access requests, approvals, and reviews for your managed accounts and systems:
- The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
- The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well.
- The web management console displays whenever you connect to the virtual appliance and is used for first time configuration.
When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.
Ensure that your system meets the minimum hardware and software requirements for these clients.
If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.
It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.
The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package that you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
- Any reference to putty in the PATH environment variable
- c:/Program Files/Putty
- c:/Program Files(x86)/Putty
If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:
If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Table 5: Desktop client requirements
Microsoft .NET Framework 4.6 (or later)
64-bit editions of:
- Windows 7
- Windows 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.
- Internet Explorer security must be set to use TLS 1.0 or higher. Ensure the proper "Use TLS" setting is enabled on the Advanced tab of the Internet Options dialog (In Internet Explorer, go to Tools | Internet Options | Advanced tab).
- To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.
See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide.