Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Release Notes

Safeguard for Privileged Passwords Release Notes

Safeguard for Privileged Passwords 2.11

Release Notes

January 2020

These release notes provide information about the Safeguard for Privileged Passwords 2.11 release.

About this release

Safeguard for Privileged Passwords Version 2.11 is a minor release with new features and resolved issues. The new features include:

  • Access requests proceed regardless of the review state of an earlier request (TFS 805354/DevOps 191598)
  • Audit history for passwords and sessions (TFS 797263/DevOps 191549)
  • Azure to run in the cloud (191524)
  • Generic ticket system without ticket system validation (TFS 794519/Dev Ops 191534)
  • Support dynamic grouping for assets based on Active Directory groups (TFS 806225/ DevOps 191499)
  • Web UI (TFS 795288/DevOps 200361)
  • Windows SSH platform (TFS 792427/DevOps 191511)

For more detail, see:

NOTE: For a full list of key features in Safeguard for Privileged Passwords, see the Safeguard for Privileged Passwords Administration Guide.

About the Safeguard product line

The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system, and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management and shortening the time frame to value.

A Safeguard for Privileged Passwords virtual appliance is also available. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs
  • Easy to deploy and integrate
  • Unparalleled depth of recording
  • Comprehensive risk analysis of entitlements and activities
  • Thorough Governance for privileged account

The suite includes the following modules:

  • Safeguard for Privileged Passwords automates, controls, and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers to integrate seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics, and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time, and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action and ultimately prevent data breaches.

    Figure 1: Privileged Sessions and Privileged Passwords

New features

CAUTION: The embedded sessions module in Safeguard for Privileged

Passwords will be removed in the next release.

For uninterrupted service, organizations are advised to join to the

more robust Safeguard for Privileged Sessions Appliance for sessions

recording and playback.

Access requests proceed regardless of the review state of an earlier request (TFS 805354/DevOps 191598)

Policy Administrators can choose to allow subsequent access requests to proceed even if the required review on a previous access request is incomplete. This prevents blocking a new session request when the prior request requires a review and the review is not done. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy) | Reviewer tab.

Audit history for passwords and sessions (TFS 797263/DevOps 191549)

In preparation for a future release of Safeguard for Privileged Sessions, a toggle has been added to allow the Safeguard for Privileged Passwords Appliance Administrator to push audit data to SPS. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services.

Azure to run in the cloud (191524)

Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace.

Generic ticket system without ticket system validation (TFS 794519/Dev Ops 191534)

Policy Administrators can require requesters to reference a ticket number in their password or session access request. Tickets do not have to be validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request and serves as a reference visible in the Activity Center. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems. In Type, select Other.

Support dynamic grouping for assets based on Active Directory groups (TFS 806225/ DevOps 191499)

Implementers can create tags / asset groups based on any Active Directory group of which the asset is a member unrelated to discovery.

For account or asset groups, use the rule editor controls on:

  • Account Rules tab of the Dynamic Account Group dialog
  • Asset Rules tab of the Dynamic Asset Group dialog

To add a dynamic tag for an asset or asset account, use the New button on the Tags pane in the Settings | Asset Management settings page.

Web client (TFS 795288/DevOps 200361)

The Safeguard for Privileged Passwords web client provides a web-based user interface that can be used instead of the desktop client for the request workflow and some administration functions.

Requesters use the web client to:

  • Search for and request password access, session access, or both.
  • Concurrently request access to multiple passwords and sessions.
  • Create and use a favorite to quickly access the common access requests.

Reviewers use the web client to review requests.

Approvers use the web client to:

  • See the access requests awaiting approval.
  • See which access requests require immediate attention.
  • View the details of each access request.
  • Approve or deny an access request.
  • Select multiple access requests to approve or deny at the same time.
  • Return to an approved, active access request and revoke the request.

Administrators can also use the web client to:

  • Configure time, network, and license.
  • Shutdown or reboot the appliance

See the Administration Guide, Using the web client.

Windows SSH platform (TFS 792427/DevOps 191511)

Safeguard for Privileged Passwords can utilize SSH to connect to the target Windows asset and run commands to manage standard platform tasks. Using SSH only requires opening a single well known SSH port. OpenSSH is the recommended connectivity tool; however, other SSH servers may also work. Windows SSH assets support both SSH password and SSH session access requests. From Administrative Tools | Assets | Management tab, you can select the Product as Windows SSH and the Version.

Best practices

When configuring the SSH service on the asset, it is recommended to use automatic (versus manual) startup. You can also set the default shell to PowerShell. You can control this by going to HKLM\SOFTWARE\OpenSSH and creating a new string value called "DefaultShell and setting it to C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

See also:

Resoved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved issue DevOps Issue ID

TFS Issue ID

Sync group tasks are appropriately managed for efficient scheduling and cancellation, as needed.

216780/ 216625


Adding a user group and directory group functions correctly.



Factory reset runs successfully.



Manual passwords can be set from a replica. 200370


Asset properties refer to directory asset properly.



Archiving works without timeout.



More information was added to the "Review Needed" email template. Default values now include: AccessRequestType, ReasonCode, and RequesterUsername.



Lowered minimum permissions to check, change, and check connection.



One Identity Starling uses a new web SSL certificate, signed by the Sectigo certificate authority, that needs to be manually added to Safeguard. See KB article: Safeguard for Privilege Passwords Root certificate update for Starling 2FA and Approval Anywhere (311790). 197619


Task passwords are updated so tasks can run. 197615


An enrollment warning is provided if there is no progress and the enrollment timeout is extended.



Documentation explains how Safeguard for Privileged Passwords load balances within context of managed network. See the Safeguard for Privileged Passwords Administration Guide, Managed Networks topic.



Regardless of the order, both a session (RDP or SSH) request and a password request for the same account is allowed.



TLS 1.2 only switch can be enabled by the Appliance Administrator. 187914


In Assets | Import Assets | CSV Template Assistant, ServiceAccountID is available.



When you create an asset template .csv with the Tag column, then import, the tags in the .csv are assigned to the asset. 187816


Documentation for the User: Authentication tab properties is correct.



Factory reset via MGMT port generates challenge for factory reset (not the bootstrap admin password reset). 187613



Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating