Use the controls and tabbed pages on the Accounts page to perform the following tasks to manage Safeguard for Privileged Passwords accounts:
Introduction
System requirements
Desktop client system requirements
Web client system requirements
Web management console system requirements
Supported platforms
Product licensing
Using the virtual appliance and web management console
Using the cloud
Setting up Safeguard for Privileged Passwords for the first time
Step 1: Create the Authorizer Administrator
Step 2: Authorizer Administrator creates administrators
Step 3: Appliance Administrator configures the appliance
Step 4: User Administrator adds users
Step 5: Asset Administrator adds managed systems
Step 6: Security Policy Administrator adds access request policies
Search box
Using the web client
My Requests (web client)
Approvals (web client)
Reviews (web client)
Favorites (web client)
Settings, version, and Windows client (web client)
Change password (web client)
FIDO2 keys (web client)
Log out (web client)
Installing the desktop client
Using the desktop client
Settings (desktop client)
User information and log out
Desktop client favorite request
Desktop client navigation pane
Privileged access requests
Home
Dashboard
Activity Center
Applying search criteria
Saving search criteria
Generating an activity audit log report
Scheduling an activity audit log report
Editing or deleting a saved search or scheduled report
Viewing event details
Auditing request workflow
Filtering report results
Sorting report results
Reports
Administrative Tools
Configuring alerts
Password release request workflow
Toolbox
Accounts
Requesting a password release
Approving a password release request
Reviewing a completed password release request
Session request workflow
General tab (account)
Access Request Policies tab (account)
Account Groups tab (account)
Dependent Assets (account)
Check and Change Log tab (account)
History tab (account)
Managing accounts
Account Groups
General tab (account group)
Accounts tab (account group)
Access Request Policies tab (account group)
History tab (account group)
Managing account groups
Assets
Adding an account group
Adding a dynamic account group
General tab (add dynamic account group)
Account Rules tab (add dynamic account group)
Summary tab (add dynamic account group)
Adding one or more accounts to an account group
Adding accounts to an access request policy
Modifying an account group
Deleting an account group
General tab (asset)
Accounts tab (asset)
Account Dependencies tab (asset)
Access Request Policies tab (asset)
Asset Groups tab (asset)
Discovered Services tab (asset)
History tab (asset)
Managing assets
Asset Groups
Adding an asset
General tab (add asset)
Management tab (add asset)
Account Discovery tab (add asset)
Connection tab (add asset)
Checking an asset's connectivity
Assigning an asset to a partition
Assigning a profile to an asset
Manually adding a tag to an asset
Adding an account to an asset
Adding account dependencies
Adding an asset to asset groups
Modifying an asset
Deleting an asset
Importing objects
Downloading a public SSH key
About service accounts
About Test Connection
SSH Key
Directory Account
Local System Account
Password (local service account)
Access Key
None
Attributes tab (add asset)
General tab (asset group)
Assets tab (asset group)
Access Request Policies tab (asset group)
History tab (asset group)
Managing asset groups
Discovery
Asset Discovery
Entitlements
Asset Discovery job workflow
Adding an Asset Discovery job
Asset Discovery Results
Account Discovery
General tab (asset discovery)
Information tab (asset discovery)
Rules tab (asset discovery)
Editing an Asset Discovery job
Deleting an Asset Discovery job
Add Condition (asset discovery)
Edit Connection Template (asset discovery)
Add Asset Profile (asset discovery)
Schedule tab (asset discovery)
Summary tab (asset discovery)
Account Discovery job workflow
Adding an Account Discovery job
Editing an Account Discovery job
Deleting an Account Discovery job
Account Discovery Results
Discovered Accounts
Service Discovery Results
Discovered Services
General tab
Users tab
Access Request Policies tab
History tab
Managing entitlements
Partitions
Adding an entitlement
Creating an access request policy
General tab
Scope tab
Requester tab
Approver tab
Reviewer tab
Access Config tab
Session Settings tab
Time Restrictions tab
Emergency tab
Adding users or user groups to an entitlement
Deleting an access request policy
Modifying an access request policy
Copying an access request policy
Viewing and editing policy details
Modifying an entitlement
Deleting an entitlement
About partition profiles
General tab (partitions)
Assets tab (partitions)
Accounts tab (partitions)
Profiles tab (partitions)
Partitions-SSHKeyProfilesTab
History tab (partitions)
Managing partitions
Settings
Access Request settings
Appliance settings
Users
Appliance Diagnostics
Appliance Information
Enable or Disable Services
Factory Reset from the desktop client
Licensing
Lights Out Management (BMC)
Networking
Operating system licensing
Support Bundle
Time
Updates
Asset Management settings
Backup and Retention settings
Certificate settings
About certificates
Audit Log Signing Certificate
Certificate Signing Request
Sessions Certificates
Cluster settings
External Integration settings
Installing a sessions certificate
Creating a Certificate Signing Request for Sessions
Resetting to use default certificate
SSL Certificates
Installing an SSL certificate
Creating a Certificate Signing Request (CSR)
Assigning a certificate to appliances
Trusted Certificates
Application to Application
Messaging settings
Profile settings
Safeguard Access settings
Sessions settings
About Application to Application functionality
Setting up Application to Application
Adding an application registration
Deleting an application registration
Regenerating an API key
Making a request using the Application to Application service
Approval Anywhere
Email
Identity and Authentication
SNMP
Starling
Syslog
Ticketing system
General tab (user)
User Groups tab (user)
Partitions tab (user)
Entitlements tab (user)
Linked Accounts tab (user)
History (user)
Managing users
User Groups
Adding a user
Identity tab (add user)
Authentication tab (add user)
Location tab (add user)
Permissions tab (add user)
Requiring secondary authentication log in
Adding a user to user groups
Assigning a user to partitions
Adding a user to entitlements
Linking a directory account to a user
Modifying a user
Enabling or disabling a user
Deleting a user
Importing objects
Setting a local user's password
Unlocking a user's account
General tab (user groups)
Users tab (user groups)
Entitlements tab (user groups)
History tab (user groups)
Managing user groups
Disaster recovery and clusters
Enrolling replicas into a cluster
Unjoining replicas from a cluster
Maintaining and diagnosing cluster members
Administrator permissions
About Offline Workflow Mode
Failing over to a replica by promoting it to be the new primary
Activating a read-only appliance
Diagnosing a cluster member
Patching cluster members
Using a backup to restore a clustered appliance
Resetting a cluster that has lost consensus
Performing a factory reset
Unlocking a locked cluster
Troubleshooting tips
Appliance Administrator permissions
Asset Administrator permissions
Auditor permissions
Authorizer Administrator permissions
Help Desk Administrator permissions
Operations Administrator permissions
Security Policy Administrator permissions
User Administrator permissions
Preparing systems for management
Preparing ACF - Mainframe systems
Preparing Amazon Web Services platforms
Preparing Cisco devices
Preparing Dell iDRAC devices
Preparing VMware ESXi hosts
Preparing Facebook hosts
Preparing Fortinet FortiOS devices
Preparing F5 Big-IP devices
Preparing HP iLO servers
Preparing HP iLO MP (Management Processors)
Preparing IBM i (AS/400) systems
Preparing JunOS Juniper Networks systems
Preparing MongoDB
Preparing MySQL servers
Preparing Oracle databases
Preparing PAN-OS (Palo Alto) networks
Preparing PostgreSQL
Preparing RACF mainframe systems
Preparing SAP HANA
Preparing SAP Netweaver Application Servers
Preparing Sybase (Adaptive Server Enterprise) servers
Preparing SonicOS devices
Preparing SonicWALL SMA or CMS appliances
Preparing SQL Servers
Preparing Top Secret mainframe systems
Preparing Unix-based systems
Preparing Windows systems
Preparing Windows SSH systems
Troubleshooting
Anti-CSRF (cross-site request forgery) token error
Connectivity failures
Frequently asked questions
Change password fails
Incorrect authentication credentials
Missing or incorrect SSH host key
No cipher supported error
Service account has insufficient privileges
Cannot connect to remote machine through SSH or RDP
Cannot delete account
Cannot play session message
Domain user denied access to Safeguard for Privileged Passwords
LCD status messages
My Mac keychain password was lost
Password fails for Unix host
Password is pending a reset
Profile did not run
Recovery Kiosk (Serial Kiosk)
Appliance information (Recovery Kiosk)
Power options
Admin password reset
Factory reset from the Recovery Kiosk
Support bundle
Replica not adding
System services did not update or restart after password change
Test Connection failures
Test Connection failures on archive server
Certificate issue
Cipher support
Domain controller issue
Networking issue
Windows WMI connection failure
Timeout errors causing operations to fail
User locked out
User not notified
How do I access the API
How do I audit transaction activity
How do I configure external federation authentication
Appendix A: Safeguard ports
Appendix B: SPP 2.7 or later migration guidance
Appendix C: SPP and SPS join guidance
Appendix D: Regular Expressions
Appendix E: Historical changes by release
How do I add an external federation provider trust
How do I create a relying party trust for the STS
How do I add an external federation user account
How do I manage accounts on unsupported platforms
How do I modify the appliance configuration settings
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
How do I set up telnet and TN3270/TN5250 session access requests
How do I set the appliance system time
How do Safeguard for Privileged Passwords database servers use SSL
Verifying syslog server configuration
What are the access request states
What do I do when an appliance goes into quarantine
What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module
When does the rules engine run for dynamic grouping and tagging
Why did the password change during an open request
What's new in version 2.1.0.5687
What's new in version 2.2.0.6958
What's new in version 2.3.0.7426
What's new in version 2.4.0.7846
What's new in version 2.5.0.8356
What's new in version 2.6.0.8961
What's new in version 2.7.0.9662
What's new in version 2.8.0.10133
What's new in version 2.9.0.10658
What's new in version 2.10.0.10980
Glossary
Managing accounts
Adding an account
It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords. While an asset can have multiple accounts, you can only associate an account with one asset.
The new account displays on the Accounts list.
Note: Safeguard for Privileged Passwords allows you to set up account discovery jobs that run automatically. For more information, see Account Discovery job workflow.
- Navigate to Administrative Tools | Accounts.
- Click
Add Account from the toolbar.
-
In the Assets dialog, for Asset Name, select an asset to associate with this account.
-
In the Account dialog, enter the following information:
-
Name:
- Local account: Enter the login user name for this account. Limit: 100 characters.
- Directory Account: Browse to find the account.
-
Description: (Optional) Enter information about this managed account. Limit: 255 characters.
-
Profile: Browse to select a partition profile to govern this account.
By default an account inherits the partition profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile.
-
Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
-
Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.
-
(For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
-
Adding a cloud platform account
One Identity Safeguard for Privileged Passwords can manage cloud platform accounts such as Amazon Web Services (AWS), Facebook (deprecated), and Twitter (deprecated).
|
|
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release. |
Before you add cloud platform accounts to Safeguard for Privileged Passwords, you must first add an asset with which to associate the accounts. For more information, see Prepare Amazon Web Services platforms.
To add a cloud platform to Safeguard for Privileged Passwords
- log in to Safeguard for Privileged Passwords and navigate to Administrative Tools.
- In Assets, click
- In the General tab:
- Name: Enter an asset name that is meaningful to you, such as "Cloud Account Server" which you can use to manage all cloud platform accounts. (You might add separate assets for Facebook accounts and Twitter accounts.)
- (Optional) Description: Enter a description for the asset.
- Partition: Select the partition you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
- Profile: Select the profile you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
-
In the Management tab:
- Product: Select the appropriate product, such as Amazon Web Services.
- Version: For Amazon Web Services, select the version.
- Network Address: For Amazon Web Services, enter the AWS Account ID or Alias which can be found on the AWS IAM User's view.
-
For Amazon Web Services, in the Connection tab, select:
-
Access Key to authenticate to the asset using an access key. Enter the following information:
- Service Account Name: Enter the configured IAM service account.
- Access Key ID: Enter the Access Key ID created for the IAM service account.
- Secret Key: Enter the Secret Key created for the IAM service account.
-OR-
- None to not authenticate to the asset and manually manage the asset.
-
- For Facebook and Twitter, in the Connection tab, select Account Password to authenticate using the current account password.
Once you add the cloud platform asset, you can associate accounts with it.
To add an account to the cloud platform
- In Assets, select the cloud platform asset and switch to the Accounts tab.
- Click
- In the User Name field, enter the cloud platform account username, email address, or phone number. For example, for a Twitter account, enter the "@User" account name.
- In the Password field, enter the account password for the user name you provided.
- Click Test Connection to verify that Safeguard for Privileged Passwords can communicate with this cloud platform using the credentials that you have provided.
- (Optional) Enter a Description.
- Browse to select a profile to govern this account
- Ensure the Enable Password Request option is checked and click Add Account.
Now you can manually check, change, or set the cloud platform account password; and, Safeguard for Privileged Passwords can automatically manage the password according to the Check and Change settings in the profile governing the account.
To resolve a Twitter requirement for additional verification
Twitter may prompt for additional verification on the next login if suspicious activity is detected (for example, the login originated from a new device or there were too many failed logins from a device). The additional verification may require entry of the email address associated with the Twitter account or entry of a temporary password sent via email. Safeguard for Privileged Passwords detects the Twitter prompt and displays the login requirement in a status message when the password change fails. The Activity Center Event may display Password Change Failed with the following Checking detail: Additional account verification requested:’RetypeEmail’.
To resolve the request for verification so that Twitter trusts the Safeguard for Privileged Passwords Appliance:
- Open a browser on the same network as the Safeguard for Privileged Passwords Appliance.
- log in to Twitter as the account.
- Enter the additional verification requested.
To checkout the cloud platform account
- Add a cloud platform Account Group and add the accounts to the group.
- Add an entitlement for the cloud platform accounts.
- Add users to the entitlements.
- Add a password release policy to the entitlement.
- Add the cloud platform Account Group to the scope of the policy.
Manually adding a tag to an account
Asset Administrators can manually add and remove static tags to an account. You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag.
To manually add a tag to an account
- Navigate to Administrative Tools | Accounts.
- Select an account from the object list (left-pane).
- Open the General tab and scroll down to view the Tags pane.
- Click
next to the Tags title. Existing tags are displayed.
-
Place your cursor in the edit box and use one method:
- Enter the name of a tag.
- Start entering the name of the tag. As you type, existing tags that start with the letters entered appear. Select from the list.
- To add additional tags, press Enter before entering the next tag.
-
Click OK. If you do not see the new tag, click the
Refresh toolbar button.
-
To remove a manually assigned tag, click
next to the Tags title and click the X inside the tag box to be removed.