Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Information tab (asset discovery)

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job).

On the Asset Discovery dialog, Information tab, define the directory or network information for the discovery job.

Table 67: Discovery: Information properties for Directory scans
Property Description
Directory

Select the Directory on which to run the Asset Discovery job.

Table 68: Discovery: Information properties for Network scans
Property Description
Enable OS Detection

This check box is selected by default, indicating that OS fingerprinting is to be used to detect the operation system being used. Clear this check box if you do not want to use the OS fingerprinting process.

IPv4 Range

Enter a range of IPv4 addresses to scan:

  • Starting IP Address
  • Ending IP Address

Click  Add or  Delete to add or remove IPv4 address range sets.

Advanced  
Exclude IP

Safeguard for Privileged Passwords allows you to exclude an IP address within a specified IPv4 range from the scan.

Click  Add to exclude an IP address from the scan.

Click  Delete to remove the corresponding excluded IPv4 address and include that IP address in the scan.

Rules tab (asset discovery)

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job)

Use the Rules tab on the Asset Discovery dialog to govern the discovered assets.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To add a new Asset Discovery rule

  1. On the Rules tab, click  Add.
  2. In the Asset Discovery Rule dialog, enter a Name up to 50 characters.
  3. You must specify at least one condition, the connection, and a profile for each rule:
    1. Under Settings, click Add Condition (asset discovery) to add one or more Group, Constraints, LDAP Filter (for LDAP or Active Directory), or Find All. Once one or more conditions have been added, you can Edit or Delete existing conditions.
    2. A Connection Template is required and defaults to None (no credentials are associated). To change this, select Edit to configure the authentication parameters. For more information, see Edit Connection Template (asset discovery).

    3. For Asset Profile, you can Edit or Delete the profile to govern the discovered assets. The asset profile defaults to the partition default profile and is based on the partition selected on the General tab (asset discovery).

    4. Select Add Account Discovery Job to select a schedule.
    5. For Managed Network, you can Edit or Delete the managed network assigned for workload balancing.
  4. Click OK to save the Asset Discovery rule.

Add Condition (asset discovery)

An Asset Discovery rule can have more than one condition, and each condition can have one or more constraints. When Safeguard for Privileged Passwords runs the discovery job, it finds all assets that meet all of the search conditions.

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Add Condition.

Add Find All condition

  1. In the Condition dialog, in Find By, choose Find All.
  2. If you are setting up an Asset Discovery job for a directory, Browse the Filter Search Location to select a container within the directory to search for assets. Select Include objects from sub containers to include objects from sub containers or clear the check box to exclude child objects from discovery.

  3. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  4. Click OK.

Add Constraints condition

  1. In the Condition dialog, in Find By, choose Constraints.
  2. To change the Filter Search Location, click Browse and select the search location that is the scope of the search. Network Scan Asset Discovery jobs don't support the search bases settings.
  3. (Optional) Select Include objects from sub containers to discover assets in sub-containers.

  4. To apply constraints (search criteria):
    1. Select a property:

      • Name
      • Description
      • Network Address
      • Operating System
      • Operating System Version

      NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.

    2. Select an operation:

      • Equals
      • Not Equals
      • Starts With
      • Ends With
      • Contains
    3. In the text box, type a value of up to 255 characters. The search is case-sensitive and does not allow wild cards.
  5. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.
  6. You can add or delete search constraints:
    1. Click Add to additional constraints to your search criteria.
    2. Click Delete to remove the corresponding constraint from your search criteria.
  7. Click OK to save your selections.

Add LDAP Filter (for LDAP or Active Directory) condition

Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).

  1. In the Condition dialog,
    1. Find By: Choose LDAP Filter and enter the search criteria to be used. 
    2. Filter Search Location: Browse to select a container within the directory to search for assets.

      TIP: Do not select the Directory Root for Asset Discovery jobs.

    3. Include objects from sub containers: Optionally, select this check box to search for assets in sub-containers.
  2. Click Preview to test the conditions you have configured.
  3. Click OK to save your selections.

Add Group for a Directory condition

This condition is only available for a Directory discovery job.

  1. In the Condition dialog:
    1. Find By: Choose Group.
    2. Click Add to launch the Group dialog.
    3. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

    4. Filter Search Location: Browse to select a container to search within the directory.
    5. Include objects from sub containers: Select this check box to include child objects.
    6. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
  2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  3. Click OK to save your selections.

Edit Connection Template (asset discovery)

You can change how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets. The default Connection Template is None so assets are authenticated manually.

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Connection Template.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To edit connection template information

  1. Navigate to the Asset Discovery Rule dialog, click Edit next to Connection Template.
  2. In the Connection Template dialog, Product defaults to Use Discovered Platform. You can select a different product and may need to completed additional information based on the product selected.
  3. Select an Authentication Type:

    • SSH Key: To authenticate to the asset using an SSH authentication key.

      • Browse to select an SSH Key and provide the service Service Account Name.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
    • Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.

      • Under Service Account Name, click Select Account to choose the directory account. The Service Account Profile for the directory account displays for reference.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
    • Password: To authenticate to the assets using a local service account and password.

      • Enter the Service Account Name and Password.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
    • None: The accounts associated with the asset are not managed and no asset related credentials are stored.
  4. Click Advanced to enter settings if you selected one of these authentication types: SSH Key, Directory Account, or Password. If you selected None, the Advanced settings are not needed and are ignored, if entered.

    • Privilege Elevation Command:

      If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.

    • Port: Enter the port number for the connection.
    • Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.
    • RDP Port: Specify the access port on the target server to be used for RDP session requests.
    • SSH Port: Specify the access port on the target server to be used for SSH session requests.
    • Connection Timeout: The session timeout period.
    • Privilege Level Password: Enter the system enable password to allow access to the configuration.
    • Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).
    • Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL
    • Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset’s certificate in Safeguard for Privileged Passwords's Trusted Certificates store. One Identity does not recommend disabling this option in production environments.

    • Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.
    • Instance: Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
  5. Click OK.
  6. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.
Related Documents