The Asset Administrator or a partition's delegated administrator defines the password sync group. An account can belong to only one password sync group. To assign sync groups and related accounts when adding the profile to a partition, see Creating a partition profile.
To create a password sync group
Click (or tap) Add to open the Password Sync Group dialog.
Click (or tap) Browse to select a Profile. The Profile name displays.
NOTE: Multiple password sync groups can be added to a profile. The profile change schedule is applied to the sync group. The sync group controls the tasks to change the passwords for the accounts in the sync group. Change tasks occur in the order of password sync group priority. For more information, see Password sync group priority.
Click (or tap) Add and select one or more Accounts to be synchronized.
The Accounts list displays with the following information about the account: Name, Parent, Service Account, Needs a Password ( if yes or if no), and Description. Click (or tap) any columns to sort the accounts.
You can make modifications to the priority of a password sync group, the accounts assigned to a password sync group, or sync the selected account password.
To modify an account priority, select the account then click (or tap) Edit.
Enter the Priority then click (or tap) OK. For more information, see Password sync group priority.
Safeguard for Privileged Passwords allows you to configure these settings related to accessing One Identity Safeguard for Privileged Passwords. Navigate to Administrative Tools | Settings | Profile | Safeguard Access.
|Login Control||Where you configure the user login control settings.|
|Password Rules||Where you configure user password complexity rules.|
It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged Passwords user login control settings, such as the number of failed sign-in attempts before locking out an account.
To configure the login controls
Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.
Range: 10 minutes to 28800 minutes (20 days)
Default: 1440 minutes (1 day)
Set the number of minutes a locked out account remains locked.
Range: 1 to 9999 minutes; A setting of 9999 requires an administrator to manually unlock the account.
Default: 15 minutes
Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.
If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.
Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins.
Default: 5 consecutive failures
Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.
Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.
Default: 10 minutes
Set the number of days to wait before automatically disabling an inactive user account.
If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.
Range: 14 to 365 days
Default: 365 days
|Inform User of Disabled Account||
Select this option to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.
A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user.
Default: Not set
|Inform User of Locked Account||
Select this option to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.
A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account.
Default: Not set
|Minimum Password Age||
Set the number of days a user must wait before changing his or her password.
Range: 0 to 14 days
|Maximum Password Age||
Set the number of days users can use their current password before they must change it.
Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.
Default: 42 days
|Password Age Reminder||
Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.
Range: 0 to 30 days
Default: 14 days
Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in first-out basis.
Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.
Default: 5 stored passwords