Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Directory Tags

Directory administrators can define rules that will dynamically add tags to directory accounts so that they can be easily identified and added to dynamic groups. Use the Administrative Tools | Settings | Asset Management | Directory Tags pane to create and manage dynamic tags for directory accounts.

In addition, Asset administrators can manually add tags to directory accounts on the General tab of the Accounts view. For more information, see Manually adding a tag to an account.

The Directory Tags pane provides a centralized view of all the tags defined for directory accounts. It displays the following details.

Table 154: Directory Tags: Properties
Property Description

Name

The name assigned to the tag when it was created.

Directories

The parent directory to which the tag belongs.

Rules

Indicates whether there is a rule associated with the selected tag. A check mark in this column indicates that the tag has a directory rule.

Description

Information about the tag.

Use these toolbar buttons to manage directory tags.

Table 155:  Directory Tags: Toolbar
Option Description

New

Add a dynamic tag definition. For more information, see Adding a tag for dynamic tagging of directory accounts.

Delete

Remove the selected tag definition. For more information, see Deleting a directory account tag.

Refresh

Update the list of tags.

Edit

Modify the selected tag definition. For more information, see Modifying a directory account tag.

 NOTE: You cannot modify the directory assignment of an existing tag using the Edit operation. Use the Copy operation to clone the tag and assign it to an additional directory. Use the Delete operation to remove the tag from the existing directory.

Copy

Clone the selected tag definition and assign it to one or more additional directories. For more information, see Copying a directory account tag to another directory.

 NOTE: If the tag already exists in the directory, the tag will be replaced with the cloned one.

Occurrences

 View a list of directory accounts that are assigned to the selected tag. For more information, see Viewing directory account tag assignments.

Search

Search for a specific tag or set of tags in the list.

Related Topics

When does the rules engine run for dynamic grouping and tagging

Adding a tag for dynamic tagging of directory accounts

Use the Add button on the Directory Tags pane in the Asset Management settings page to add a dynamic tag for directory accounts.

To add a dynamic tag for directory accounts

  1. Navigate to Administrative Tools | Settings | Asset Management | Directory Tags.

  2. Click (or tap) the toolbar button.

    The New Tag dialog displays.

  3. On the General tab, enter the following information:

    • Name: Enter a unique name for the tag.
    • Description: Enter information about the tag.
    • Partition: Click (or tap) Browse to select the directory to which this tag is to be assigned.

  4. On the Directory Account Rule tab, enter the conditions for a directory account rule.

    • Don't include a directory account rule for this tag: Select this check box if you do not want to include a directory account rule. Selecting this check box disables the rule editor controls on this page. Proceed to the next tab.

    • Rule editor: Use the rule editor to define conditions for tagging directory accounts.

      Table 156: Directory Account Rules tab: Rule editor controls
      Property Description

      AND | OR

      Click (or tap) AND to "and" multiple search criteria together; where all criteria must be met in order to be included.

      Click (or tap) OR to "or" multiple search criteria together; where at least one of the criteria must be met in order to be included.

      Attribute

      In the first query clause box, select the attribute to be searched. Valid attributes include:

      • Name (Default)
      • Description
      • Platform
      • Disabled
      • Tag
      • Service Name
      • Domain Name
      • NETBIOS Name
      • Distinguished Name
      • SID

      Operator

      In the middle clause query box, select the operator to be used in the search. The operators available depend upon the data type of the attribute selected.

      For string attributes, the operators may include:

      • Contains (Default)
      • Does not contain
      • Starts with
      • Ends with
      • Equals
      • Not equal

      For boolean attributes, the operators may include:

      • Is True
      • Is False

      Search string

      In the last clause query box, enter the search string or value to be used to find a match.

      |

      Click (or tap) to the left of a search clause to add an additional clause to the search criteria.

      Click (or tap) to remove the search clause from the search criteria.

      Add Grouping | Remove

      Click (or tap) the Add Grouping button to add an additional set of conditions to be met.

      A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions.

      Click (or tap) the Remove button to remove a grouping from the search criteria.

      Preview

      Click (or tap) Preview to run the query in order to review the results of the query before adding the dynamic tag.

  5. On the Summary tab review the conditions for the directory account rules.
  6. Click (or tap) Add to create the tag, close the dialog, and return to the Directory Tags pane.

Deleting a directory account tag

Click (or tap) Delete on the Directory Tags pane in the Asset Management settings page to delete a directory account tag from Safeguard for Privileged Passwords.

NOTE: All references to a tag will be removed, no matter how it was assigned (dynamically or manually).

NOTE: A tag can be assigned to multiple object types. That is, you can have the same tag assigned to assets, asset accounts, and directory accounts.

To delete a directory account tag

  1. Navigate to Administrative Tools | Settings | Asset Management | Directory Tags.
  2. Select the tag definition to be deleted.
  3. Click (or tap) the toolbar button.
  4. On the Remove Selected confirmation dialog, click (or tap) Yes.

  5. If the tag is being used, removing the tag may result in changes to your policy configuration; therefore, you are given the opportunity to confirm or cancel the remove operation.

    • To remove the tag, enter Force Delete and click (or tap) OK.
    • To cancel the remove operation, click (or tap) Cancel.

Modifying a directory account tag

Use the Edit button on the Directory Tags pane on the Asset Management settings page to modify a directory account tag.

To modify a directory account tag

  1. Navigate to Administrative Tools | Settings | Asset Management | Directory Tags.
  2. Select the tag to be modified.

  3. Select the toolbar button.

    The Directory Tag dialog displays allowing you to modify the selected tag.

  4. On the General tab, you can modify the following settings:

    • Name

    • Description

    		 NOTE: You cannot modify the directory assignment of an existing tag using the Edit operation. Use the Copy operation to clone the tag and assign it to an additional directory. Use the Delete operation to remove the tag from the existing directory.

  5. On the Directory Account Rules tab, you can modify the conditions for the directory account rule.

    • Don't include a directory account rule for this tag: Select this check box if you do not want to include a directory account rule. Selecting this check box disables the rule editor controls on this page. Proceed to the next tab.

    • Rule editor: Use the rule editor to modify the conditions for tagging directory accounts.

      Table 157: Directory Account Rules tab: Rule editor controls
      Property Description

      AND | OR

      Click (or tap) AND to "and" multiple search criteria together; where all criteria must be met in order to be included.

      Click (or tap) OR to "or" multiple search criteria together; where at least one of the criteria must be met in order to be included.

      Attribute

      In the first query clause box, select the attribute to be searched. Valid attributes include:

      • Name (Default)
      • Description
      • Platform
      • Disabled
      • Tag
      • Service Name
      • Domain Name
      • NETBIOS Name
      • Distinguished Name
      • SID

      Operator

      In the middle clause query box, select the operator to be used in the search. The operators available depend upon the data type of the attribute selected.

      For string attributes, the operators may include:

      • Contains (Default)
      • Does not contain
      • Starts with
      • Ends with
      • Equals
      • Not equal

      For boolean attributes, the operators may include:

      • Is True
      • Is False

      Search string

      In the last clause query box, enter the search string or value to be used to find a match.

      |

      Click (or tap) to the left of a search clause to add an additional clause to the search criteria.

      Click (or tap) to remove the search clause from the search criteria.

      Add Grouping | Remove

      Click (or tap) the Add Grouping button to add an additional set of conditions to be met.

      A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions.

      Click (or tap) the Remove button to remove a grouping from the search criteria.

      Preview

      Click (or tap) Preview to run the query in order to review the results of the query before adding the dynamic tag.

    Click Preview at the bottom of the dialog to preview the effects the currently defined rule conditions will have on a group.

  6. On the Summary tab, review your changes and click (or tap) OK.
Related Documents