Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Modifying an account group

To modify an account group's information

  1. Navigate to Administrative Tools | Account Groups.
  2. In Account Groups, select an account group from the object list.
  3. Select the view of the account group's information you want to modify (General, Accounts, or Access Request Policies).

    For example:

    • To change the selected account group's name or description, click the General tab then click the  Edit icon. You can also double-click an account group name to open the General settings edit window.
    • To add (or remove) accounts associated with the selected account group, click the Accounts tab. You can multi-select members to add or remove more than one from an account group.
    • To add (or remove) accounts in a dynamic account group, double-click the dynamic account group and change the selections on the Account Rules tab.
    • To add (or remove) the selected account group to the scope of a policy, switch to the Access Request Policies tab. For more information, see Access Request Policies tab (account group).
  4. To view or export the details of each operation that has affected the selected account group, switch to the History tab. To export, select the time frame then click Export.

Related Topics

Adding an account group

Deleting an account group

When you delete an account group, Safeguard for Privileged Passwords does not delete the associated accounts.

To delete an account group

  1. Navigate to Administrative Tools | Account Groups.
  2. In Account Groups, select an account group.
  3. Click Delete Selected.
  4. Confirm your request.

Assets

A Safeguard for Privileged Passwords asset is a computer, server, network device, or application managed by a Safeguard for Privileged Passwords Appliance.

It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords.The Auditor has permission to access Assets.

Before adding assets to Safeguard for Privileged Passwords, you must ensure they are properly configured. For more information, see Preparing systems for management.

Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted.

All assets must be governed by a profile identified on the General tab (asset group). All new assets are automatically governed by the default profile unless otherwise specified.

An asset can only be in one partition at a time identified on the General tab (asset group). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition.

You can identify a default partition and default partition profile so that when you add assets, the assets are added to the default partition and default partition profile. For more information, see Setting a default partition.

Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in Safeguard for Privileged Passwords, see Asset Discovery job workflow.

Assets view

The Assets view displays the following information about the selected system. Not all selections will be available for all assets.

Toolbar

Use these toolbar buttons to manage assets:

  • Add Asset: Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset.
  • Delete Selected: Remove the selected asset. For more information, see Deleting an asset.
  • Important: When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.

  • Refresh: Update the list of assets.
  • Import Assets: Add assets to Safeguard for Privileged Passwords. For more information, see Importing objects.
  • Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key.
  • Access Requests: Allows you to enable or disable access request services for the selected asset. Menu options include Enable Session Request and Disable Session Request.
  • Syncronize Now: Run the directory addition and deletion synchronization process on demand.
  • Show Disabled: Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by right-clicking on an asset and selecting Enable-Disable.
  • Hide Disabled: Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by right-clicking an asset and selecting Enable-Disable.

    Add Asset: Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset.

Asset menu options

Right click on an asset to use these context menu options.

  • Discover SSH Host Key: This option only applies to assets that exchange SSH host keys, such as Unix-based assets and Linux-based assets. Retrieves the latest SSH host key for the selected asset. The Discover SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not discovered on the asset (either via a discovery or import), certain tasks will not be available for accounts associated with the asset, such as Check System, Check Password, and Change Password.
  • Check Connection: Select to verify that Safeguard for Privileged Passwords can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity.
  • Syncronize Now: Run the directory addition and deletion synchronization process on demand. In addition, it runs through the discovery, if there are discovery rules and configurations set up.
  • Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key.
  • Enable-Disable: Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. This option is only available for assets that have been disabled. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.

    Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.

  • Access Requests: Select Enable Session Request to allow session requests for the selected asset. Select Disable Session Request to disallow session requests for the selected asset.
  • Discovery Accounts: Run the associated Account Discovery job. For more information, see Account Discovery.
  • Discover Services: Run the associated Account Discovery job that has Discovery Services selected. For more information, see Adding an Account Discovery job.
  • Delete Selected: Remove the selected asset from Safeguard for Privileged Passwords. When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.

General tab (asset)

The General tab lists information about the selected asset.

Large tiles at the top of the tab display the number of Accounts, Account Dependencies (when applicable), Access Request Policies, and Asset Groups associated with the selected asset. Clicking a tile heading opens the corresponding tab.

Navigate to Administrative Tools | Assets | General. The following fields display based on the type of asset (for example, Windows, Linux, OpenLDAP, or Active Directory).

Table 31: General tab: General properties
Property Description
Name The asset name.

Description

Descriptive text to further identify the asset.

Partition The name of the partition where the selected asset resides.
Profile

The name of the profile that manages the asset's accounts.

NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified.

License Type

If applicable (for example, for a Windows asset), indicates your license model, such as System or Desktop.

Last Successful Account Discovery

If applicable, the date and time of the last successful Account Discovery job.

Next Account Discovery

If applicable, the date and time of the next automated Account Discovery job as set in the Account Discovery job of the partition profile. (For more information, see Creating a partition profile.)

Directory (directory)

The name of the directory where the asset was discovered.

Domain Name (directory)

The name of the domain where the asset was discovered.

NetBios Name (directory)

The NetBios name of the asset that was discovered.

Distinguished Name (directory)

The distinguished name of the asset that was discovered.

The following fields display based on the type of asset (for example, Windows, Linux, OpenLDAP, or Active Directory).

Table 32: General tab: Management properties
Property Description
Product The platform of the selected managed system.
Version If applicable, the system version.
Architecture if applicable, the operating system architecture.
Network Address If applicable, the network DNS name or IP address of the managed system.

Manage Forest (directory)

If True, the whole forest is managed.

Forest Root Domain Name (directory)

The forest root domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain.

Managed Domains

The managed domains.

Available for discovery across all partitions

If True, this asset is read-access available for Asset Discovery jobs beyond partition boundaries.

Managed Network

The managed network that is assigned for work load balancing. For more information, see Managed networks.

Enable Session Request The check box is selected if session access requests are enabled for the asset.
RDP Session Port If applicable, the access port on the target server used for RDP session access requests.
SSH Session Port If applicable, the access port on the target sever used for SSH session access requests.

Telnet Session Port

If connecting to TN3270 or TN5250, the port for connection.

Sync additions every [number] minutes

If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the additions or modifications to objects. The date and time of the last sync, last failed, and last successful sync display. The intervals are directory specific.

Sync deletions every [number] minutes

If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the deletion of objects. The date and time of the last sync, last failed, and last successful sync display. The intervals are directory-specific.

Table 33: General tab: Account Discovery properties
Account Discovery Account discovery identifier
Last Successful Account Discovery The date and time of the last successful account discovery
Last Failed Account Discovery The date and time of the last failed account discovery
Next Account Discovery The date and time for the next account discovery

Table 34: Assets General tab properties: Connection properties
Property Description
Authentication Type How the console connects with the managed system. For more information, see Connection tab (add asset).
Service Account Name The account used by Safeguard for Privileged Passwords to securely manage accounts and passwords on the asset.

Service Account Domain Name

The domain used to manage accounts and passwords on the asset.

Service Account Distinguished Name

The distinguished name of the service account.

Connection Timeout The session timeout period.

Privilege Elevation

Command

Displays the elevation command (such as sudo) if it is populated on the Connection tab.

Port

The port used by SSH to log in to the managed system.

SSH Host Key Fingerprint The fingerprint of the SSH key that Safeguard for Privileged Passwords uses to authenticate to the asset.
SSH Key Comment Human-readable information about the SSH key.
SSH Host Key Fingerprint

The managed system's public host key fingerprint.

When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

CheckSystem (custom platform script)

True if the service account has access to the remote host. See the wiki Writing a custom platform script.

CheckPassword (custom platform script)

True if the given account user and password are valid on the remote host. See the wiki Writing a custom platform script.

ChangePassword (custom platform script)

True if the password for the given user on the remote host. See the wiki Writing a custom platform script.

Table 35: Assets General tab properties: Attributes properties (for example, for directories and LDAP)
Property Description
User Attributes

User attributes include:

Object Class

User Name

Password

Description

Group Attributes

Group attributes include:

Object Class

Name

Member

Computer Attributes

Computer attributes include:

Object Class

Name

Network Address

Operating System

Operating System Version

Description

Tags: Tag assignments for the selected asset. The tiles listed under in the Tags pane display both the dynamic tags assigned to the asset through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags using this pane.

Description: Information about the selected asset.

Related Topics

Assigning an asset to a partition

Assigning a profile to an asset

Modifying an asset

Related Documents