Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Evaluation Guide

Exercise 2: Testing the RDP session request workflow

This exercise demonstrates the RDP session request workflow from request to approval to review. Since the entitlement's policy specified that you will provide your own credentials, you will need to enter those before you launch the RDP session.

Test: Request session

As Joe, the Requester user, complete the following steps:

  1. On your Home page, select New Request.
    • Request an RDP session for a Windows account.
    • Notice how the policy configuration dictates the user experience. For example, you are not required to enter a reason and a comment for this policy.
  2. Open Requests and review your pending request.

Test: Approve sessions request

Since the access request policy was set to Auto-approved, there is no approval required.

Did you get an email notification of the auto-approved access request?

Test: Launch the RDP session

As Joe, complete the following steps.

  1. Once the session becomes Available, open the session request.
  2. Enter the credentials to be used (user name and password) and click Apply.

    Clicking Apply retrieves the information required to log in: Computer ID and Username Connection String.

  3. Select Launch RDP.
  4. Accept the security certificate to continue.
  5. Run programs (for example, launch a browser and browse the internet) on the test server.
  6. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  7. Select Check-In to complete the checkout process for the sessions request.

Test: Review a completed sessions request

  1. From the desktop client, as Ralph, the Reviewer user.
  2. Open Reviews and review the request that is waiting for your review. 
  3. Select Workflow to view the transactions that took place as part of the request.

    1. Since Record Sessions is enabled in the policy, on the Initialize Session event, click Play to replay the session.
    2. Notice that since Enable Window Title Detection is not enabled in the policy, a list of the windows opened on the desktop during the session are not available for review.
  4. Select Review to complete the review process.

Auditing exercises

Now that you have performed some password request activities, you can audit the transaction data.

The appliance records all activities performed within Safeguard for Privileged Passwords. Any administrator has access to the audit log information; however, your administrator permission set determines what audit data you can access.

Safeguard for Privileged Passwords provides several ways to audit transaction activity:

  • Password Archive: Where you access a previous password for an account for a specific date.
  • Check and Change Log: Where you view an account's password validation and reset history.
  • History: Where you view the details of each operation that has affected the selected item.
  • Activity Center: Where you can search for and review any activity for a specific time frame.
  • Workflow: Where you can audit the transactions performed as part of the workflow process from request to approval to review for a specific access request.
  • Reports: Where you can view and export entitlement reports that show you which assets and accounts a selected user is authorized to access.

The exercises in this section demonstrate Safeguard for Privileged Passwords's auditing capabilities. But before we start, let's create some password check and change activity.

These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords auditing features.

Exercise 1: Creating audit data

By following these steps, you will add some password check and change history to Safeguard for Privileged Passwords's audit log and you will learn how to manually verify and reset account passwords.

To perform password check and change activity

  1. Log in as AssetAdmin and navigate to Administrative Tools.
  2. In Accounts, select an account.
  3. Open the Account Security menu and notice the options: Check Password, Change Password, and Set Password using the Manual Password option.

    Note: These same options are available from an account's context menu.

  4. Check the password for the account.

    Note: The Tasks pane opens when you start a task. You can re-size your desktop client console so that the Tasks pane is not covering the Administrative Tools.

    The "Check" option verifies the account password is synchronized with the Safeguard for Privileged Passwords database; this action should succeed.

    TIP: If Check Password fails, run Check Asset from the context menu of the asset to ensure that Safeguard for Privileged Passwords can communicate with it. Then retry the Check Password option on the account.

  5. Set the password for the account to Mypass01 using the Manual Password option.

    The Manual Password option manually sets the account password in the Safeguard for Privileged Passwords database; not on the appliance; so now they are not in sync.

  6. Check the password for the account.

    The Check option should fail because the account password is not in sync with the Safeguard for Privileged Passwords database.

  7. Change the password for the account.

    The Change option creates a new account password and synchronizes it on the Safeguard for Privileged Passwords database.

  8. Check the password for the account again.

    This task should now be successful.

Stay logged in as the AssetAdmin for the next exercise.

Exercise 2: Accessing the Password Archive

Password Archive allows you to access a previous password for an account for a specific date.

NOTE: The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset.

To access an account's previous password

  1. In Accounts, select the account you have been working with.
  2. Click Password Archive from the toolbar.
  3. In the Password Archive dialog, select today's (or a previous) date.

    TIP: If no entries are returned, this indicates that the asset is still using the current password.

  4. In the View column, click to display the password for the specified date.
  5. Either Copy the password, or click OK to close the dialog.
  6. Close Password Archive to return to Accounts.

Stay logged in as the AssetAdmin for the next exercise.

Related Documents