Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Managing accounts

Use the controls and tabbed pages on the Accounts page to perform the following tasks to manage Safeguard for Privileged Passwords accounts:

Adding an account

It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords. While an asset can have multiple accounts, you can only associate an account with one asset.

The new account displays on the Accounts list.

Note: Safeguard for Privileged Passwords allows you to set up account discovery jobs that run automatically. For more information, see Account Discovery job workflow.

To add an account

  1. Navigate to Administrative Tools | Accounts.
  2. Click  Add Account from the toolbar.
  3. In the Assets dialog, for Asset Name, select an asset to associate with this account.

  4. In the Account dialog, enter the following information:

    • Name:

      • Local account: Enter the login user name for this account. Limit: 100 characters.
      • Directory Account: Browse to find the account.
    • Description: (Optional) Enter information about this managed account. Limit: 255 characters.

    • Profile: Browse to select a partition profile to govern this account.

      By default an account inherits the partition profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile.

    • Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.

    • Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.

    • (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.

Related Topics

Checking, changing, or setting an account password

Assigning assets or accounts to a partition profile

Account Discovery job workflow

Adding a cloud platform account

Adding a cloud platform account

One Identity Safeguard for Privileged Passwords can manage cloud platform accounts such as Amazon Web Services (AWS), Facebook (deprecated), and Twitter (deprecated).

CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.

Before you add cloud platform accounts to Safeguard for Privileged Passwords, you must first add an asset with which to associate the accounts. For more information, see Prepare Amazon Web Services platforms.

To add a cloud platform to Safeguard for Privileged Passwords

  1. log in to Safeguard for Privileged Passwords and navigate to Administrative Tools.
  2. In Assets, click  Add Asset from the toolbar.
  3. In the General tab:
    1. Name: Enter an asset name that is meaningful to you, such as "Cloud Account Server" which you can use to manage all cloud platform accounts. (You might add separate assets for Facebook accounts and Twitter accounts.)
    2. (Optional) Description: Enter a description for the asset.
    3. Partition: Select the partition you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
    4. Profile: Select the profile you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
  4. In the Management tab:

    1. Product: Select the appropriate product, such as Amazon Web Services.
    2. Version: For Amazon Web Services, select the version.
    3. Network Address: For Amazon Web Services, enter the AWS Account ID or Alias which can be found on the AWS IAM User's view.
  5. For Amazon Web Services, in the Connection tab, select:

    1. Access Key to authenticate to the asset using an access key. Enter the following information:

      • Service Account Name: Enter the configured IAM service account.
      • Access Key ID: Enter the Access Key ID created for the IAM service account.
      • Secret Key: Enter the Secret Key created for the IAM service account.

      -OR-

    2. None to not authenticate to the asset and manually manage the asset.
  6. For Facebook and Twitter, in the Connection tab, select Account Password to authenticate using the current account password.

Once you add the cloud platform asset, you can associate accounts with it.

To add an account to the cloud platform

  1. In Assets, select the cloud platform asset and switch to the Accounts tab.
  2. Click  Add Account from the details toolbar.
  3. In the User Name field, enter the cloud platform account username, email address, or phone number. For example, for a Twitter account, enter the "@User" account name.
  4. In the Password field, enter the account password for the user name you provided.
  5. Click Test Connection to verify that Safeguard for Privileged Passwords can communicate with this cloud platform using the credentials that you have provided.
  6. (Optional) Enter a Description.
  7. Browse to select a profile to govern this account
  8. Ensure the Enable Password Request option is checked and click Add Account.

Now you can manually check, change, or set the cloud platform account password; and, Safeguard for Privileged Passwords can automatically manage the password according to the Check and Change settings in the profile governing the account.

To resolve a Twitter requirement for additional verification

Twitter may prompt for additional verification on the next login if suspicious activity is detected (for example, the login originated from a new device or there were too many failed logins from a device). The additional verification may require entry of the email address associated with the Twitter account or entry of a temporary password sent via email. Safeguard for Privileged Passwords detects the Twitter prompt and displays the login requirement in a status message when the password change fails. The Activity Center Event may display Password Change Failed with the following Checking detail: Additional account verification requested:’RetypeEmail’.

To resolve the request for verification so that Twitter trusts the Safeguard for Privileged Passwords Appliance:

  1. Open a browser on the same network as the Safeguard for Privileged Passwords Appliance.
  2. log in to Twitter as the account.
  3. Enter the additional verification requested.

To checkout the cloud platform account

  1. Add a cloud platform Account Group and add the accounts to the group.
  2. Add an entitlement for the cloud platform accounts.
  3. Add users to the entitlements.
  4. Add a password release policy to the entitlement.
  5. Add the cloud platform Account Group to the scope of the policy.

Manually adding a tag to an account

Asset Administrators can manually add and remove static tags to an account. You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag.

To manually add a tag to an account

  1. Navigate to Administrative Tools | Accounts.
  2. Select an account from the object list (left-pane).
  3. Open the General tab and scroll down to view the Tags pane.
  4. Click next to the Tags title. Existing tags are displayed.
  5. Place your cursor in the edit box and use one method:

    • Enter the name of a tag.
    • Start entering the name of the tag. As you type, existing tags that start with the letters entered appear. Select from the list.
    • To add additional tags, press Enter before entering the next tag.
  6. Click OK. If you do not see the new tag, click the Refresh toolbar button.

  7. To remove a manually assigned tag, click next to the Tags title and click the X inside the tag box to be removed.

Related Documents