Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Creating a custom platform script

A custom platform script identifies the platform's commands and associated details. Scripts are written in JSON. Scripts include metadata, parameters, function blocks, operations, and if/then constructs to authenticate to the platform and perform password validation and reset. The custom platform script is uploaded when adding the custom platform.

You can create an asset and accept default values in the associated custom script. If you later upload a new version of the custom platform script with different defaults, the asset defaults are not changed.

Sample scripts

Sample custom platform scripts and command details are available at the following links available from the on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

During development, check your JSON using a validator.

Adding a custom platform

It is the responsibility of the Asset Administrator to configure the rules so Safeguard for Privileged Passwords handles custom platforms. The custom platform script must be available for uploading. For more information, see Creating a custom platform script.

To add a custom platform

  1. Have the custom platform script file available to upload.
  2. Navigate to Administrative Tools | Settings | Asset Management | Custom Platforms.
  3. Click  Add.
  4. These fields display:
    1. Name: Enter the unique name of the platform type, which may be a product name.
    2. Version: Enter the version of the target platform to use as an identifier.
    3. Architecture: Enter the CPU architecture to use as an identifier. If not applicable, use Any.
    4. Platform Script: Click Browse. Navigate to and select the script file. Click Open. The selected custom platform script file displays.

    5. Select the Allow Sessions Requests check box to allow session access requests. This check box is typically selected for SSH. Clear the Allow Sessions check box to prohibit session access requests.
  5. Click OK. If the custom platform script has errors, an error message like the following displays: Definition was not a valid json object .

Tags

Asset Administrators can define rules that will dynamically add tags to assets and asset accounts so that they can be easily identified and added to dynamic groups. Use the Administrative Tools | Settings | Asset Management | Tags pane to create and manage dynamic tags for assets and asset accounts.

In addition, Asset Administrators can manually add static tags to assets and accounts on the General tab of the Assets or Accounts view. For more information, see Manually adding a tag to an asset and Manually adding a tag to an account.

The Tags pane provides a centralized view of all the tags defined for assets and asset accounts, regardless of how they were assigned. It displays the following details.

Table 116: Tags: Properties
Property Description

Name

The name assigned to the tag when it was created.

Asset Partition

The asset partition to which the tag belongs.

Rules

Indicates whether there is a rule associated with the selected tag. A check mark in this column indicates that the tag has an asset or asset account rule.

Description

Information about the tag.

Use these toolbar buttons to manage tags.

Table 117:  Tags: Toolbar
Option Description

New

Add a dynamic tag. For more information, see Adding a tag for dynamic tagging of assets or asset accounts.

Delete

Remove the selected tag. For more information, see Deleting an asset or asset account tag.

Refresh

Update the list of tags.

Edit

Modify the selected tag. For more information, see Modifying an asset or asset account tag.

NOTE: You cannot modify the partition assignment of an existing tag using the Edit operation. Use the Copy operation to clone the tag and assign it to an additional partition. Use the Delete operation to remove the tag from the existing partition.

Copy

Clone the selected tag and assign it to one or more additional partitions. For more information, see Copying an asset or asset account tag to another partition.

NOTE: If the tag already exists in the partition, the tag will be replaced with the cloned one.

Occurrences

View a list of assets and asset accounts that are assigned to the selected tag. For more information, see Viewing asset and asset account tag assignments.

Search

Search for a specific tag or set of tags in this list.

Related Topics

When does the rules engine run for dynamic grouping and tagging

Adding a tag for dynamic tagging of assets or asset accounts

Use the New button on the Tags pane in the Asset Management settings page to add a dynamic tag for an asset or asset account.

To add an asset or asset account dynamic tag

  1. Navigate to Administrative Tools | Settings | Asset Management | Tags.
  2. Click the New toolbar button.

    The Tag dialog displays.

  3. On the General tab, enter the following information:

    • Name: Enter a unique name for the tag.
    • Description: Enter information about the tag.
    • Partition: Click Browse to select the partition to which this tag is to be assigned.
  4. On the Account Rules tab, enter the conditions for an account rule.

    • Include an account rule for this tag: Select this check box if you want to include an account rule.
    • Rule editor: Use the rule editor to define conditions for tagging asset accounts.

      Table 118: Asset Account Rules tab: Rule editor controls
      Property Description

      AND | OR

      Click AND to group multiple search criteria together, where all criteria must be met in order to be included.

      Click OR to group multiple search criteria together; where at least one of the criteria must be met in order to be included.

      Attribute

      In the first query clause box, select the attribute to be searched. Valid attributes include:

      • Name (Default)
      • Description
      • Platform
      • Disabled
      • Tag
      • Service Account
      • Partition Name
      • Asset Name
      • Asset Tag
      • Domain Name
      • NETBIOS Name
      • Distinguished Name (You cannot do a one level search with this attribute.)
      • SID
      • Discovered Group Name (Use this selection to not specify the domain in the search. To specify the domain, select Discovered Group Distinguished Name.)
      • Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the group belongs.)
      • Directory Container (If you use the operator Equal, one level is found.)

      Operator

      In the middle clause query box, select the operator to be used in the search. The operators available depend upon the data type of the attribute selected.

      For string attributes, the operators may include:

      • Contains (Default)
      • Does not contain
      • Starts with
      • Ends with
      • Equals
      • Not equal

      For boolean attributes, the operators may include:

      • Is True
      • Is False

      Search string

      In the last clause query box, enter the search string or value to be used to find a match.

      |

      Click to the left of a search clause to add an additional clause to the search criteria.

      Click to remove the search clause from the search criteria.

      Add Grouping | Remove

      Click the Add Grouping button to add an additional set of conditions to be met.

      A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions.

      Click the Remove button to remove a grouping from the search criteria.

      Preview

      Click Preview to run the query in order to review the results of the query before adding the dynamic tag.

  5. On the Asset Rules tab, enter the conditions for an asset rule.

    • Don't include an asset rule for this tag: Select this check box if you do not want to include an asset rule. Selecting this check box disabled the rule editor controls on this page. Proceed to the next tab.
    • Rule editor: Use the rule editor to define conditions for tagging assets.

      Table 119: Asset Rules tab: Rule editor controls
      Property Description

      AND | OR

      Click AND to group multiple search criteria together, where all criteria must be met in order to be included.

      Click OR to group multiple search criteria together, where at least one of the criteria must be met in order to be included.

      Attribute

      In the first query clause box, select the attribute to be searched. Valid attributes include:

      • Name (default)
      • Description
      • Platform
      • Disabled
      • Tag
      • Discovery Job Name
      • Partition Name
      • Profile
      • Network Address
      • Discovered Group Name (Use this selection to not specify the domain in the search. To specify the domain, select Discovered Group Distinguished Name.)
      • Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the group belongs.)
      • Directory Container (If you use the operator Equal, one level is found.)

      Operator

      In the middle clause query box, select the operator to be used in the search. The operators available depend on the data type of the attribute selected.

      For string attributes, the operators may include:

      • Contains (Default)
      • Does not contain
      • Starts with
      • Ends with
      • Equals
      • Not equal

      For boolean attributes, the operators may include:

      • Is True
      • Is False

      Search string

      In the last clause query box, enter the search string or value to be used to find a match.

      |

      Click to the left of a search clause to add an additional clause to the search criteria.

      Click to remove the search clause from the search criteria.

      Add Grouping | Remove

      Click the Add Grouping button to add an additional set of conditions to be met.

      A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions.

      Click the Remove button to remove a grouping from the search criteria.

      Preview

      Click Preview to run the query in order to review the results of the query before adding the dynamic tag.

  6. On the Summary tab, review your selections.

    • Account Rules: Open the Account Rules tab to review the conditions for an asset account rule.
    • Asset Rules: Open the Asset Rules tab to review the conditions for an asset rule.
  7. Click Add to create the tag, close the dialog, and return to the Tags pane.
Related Documents