Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Troubleshooting tips

If there is a problem with a Safeguard for Privileged Passwords cluster, follow these guidelines:

  1. Ensure that the hardware is powered on and online.
  2. Check for networking problems. For more information, see Diagnosing a cluster member.
  3. Check the events in the Activity Center as all cluster operations are logged. Errors and warnings may resolve on their own. If an error persists for more than 15 minutes it probably won't resolve itself. Try restarting the appliance to see if the error or warning clears.
  4. Contact One Identity Support:

Appliance states

The following table lists the appliance states and what actions are available when the appliance is in a particular state.

Table 253: Appliance states
Appliance state and description Actions available

EnrollingReplica (Only applies to replica appliances in a cluster.)

A transitional state where a replica appliance is being added to a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the enroll operation.

 

Wait for operation to complete before logging into appliance.

Initializing

A transitional state where the appliance is initializing to start, but is not yet available for access.

 

Wait for operation to complete before logging into appliance.

Maintenance

Appliance is performing maintenance tasks and is not available for access.

 

Wait for maintenance tasks to complete before logging into appliance.

LeavingCluster (Only applies to replica appliances in a cluster.)

A transitional state where a replica appliance is being unjoined from a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the unjoin operation.

 

Wait for operation to complete before logging into appliance.

Offline

Appliance is not available for access.

 

Wait for appliance to come back online before logging in.

Offline Workflow

The appliance is not communicating with the cluster but has been manually placed in Offline Workflow mode to run access request workflow.

Manually enable Offline Workflow mode. Once online operations are resumed, the appliance is returned to Maintenance mode. For more information, see Enable offline workflow.

Online

The appliance is a primary and has consensus. Or the appliance is a replica and has both consensus and connectivity to the primary.

 

Log into appliance.

In this state, access request workflow is available from all clustered appliances that are online and able to communicate.

PatchPending (Only applies to replica appliances in a cluster.)

Upon cluster patch, the primary appliance instructs all replicas to enter PatchPending state. The primary appliance then patches and upon completion, instructs the PatchPending replicas to install the patch one at a time.

 

You can log into a replica with a PatchPending state.

You can initially perform access request workflow on a replica in PatchPending state; however, during the cluster upgrade, when the majority of the cluster members have upgraded, access request worklfow migrates from the PatchPending side of the cluster to the upgraded side of the cluster. During this time, access request workflow is unavailable on any appliance still in the PatchPending state.

PrimaryNoQuorum (Only applies to the primary appliance in a cluster.)

The primary appliance is in a Read-only mode while attempting to get the lease, but can't because the cluster does not have consensus. The appliance continues to attempt getting the lease and when it does, the appliance state goes back to Online.

 

If the appliance is powered on, you can log into an appliance with a PrimaryNoQuorum state; however, it will be in a Read-only mode.

In this state, access request workflow is not available from the primary appliance, but may be available from other appliances in the cluster.

For example, if the primary cannot communicate with the rest of the nodes in the cluster, but the rest of the nodes can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from these replica appliances even though it is not available from the primary appliance.

Quarantine

Appliance is broken or in an unknown state.

 

Requires manual intervention to recover.

Go to recovery kiosk to recover. For more information, see Recovery kiosk.

ReplicaDisconnected (Applies to replica appliances in a cluster.)

A replica appliance is available for access; however, both of the following conditions apply:
    • The replica appliance cannot communicate with the primary appliance in the cluster and
    • The remaining nodes in the cluster that the replica appliance can communicate with do not have consensus.

 

You can log into a replica with a ReplicaDisconnected state, but access request workflow is disabled.

If the replica appliance cannot communicate with the other nodes in the cluster, but the remaining nodes can communicate with each other, then access request workflow will be available from those appliances even though it is not available from the appliance that cannot communicate with them.

ReplicaNoQuorum (Applies to replica appliances in a cluster.)

A replica appliance can communicate with the primary appliance; however, the remaining nodes in the cluster do not reach consensus. Once the cluster regains consensus, the replica appliance will go into the Online state.

 

You can log into a replica with a ReplicaNoQuorum state, but access request workflow is disabled.

In this state, access request workflow is not available from the primary appliance, but may be available from other replicas.

For example, in a cluster of five appliances, if the primary and a single replica cannot communicate with the remaining replicas in the cluster, but the other three replicas in the cluster can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from the replicas that are online and communicating even though it is not available from the primary and replica that cannot communicate.

ReplicaWithQuorum (Applies to replica appliances in a cluster.)

A replica appliance cannot communicate with the primary appliance; however, the remaining nodes in the cluster have reached consensus.

 

You can log into a replica with a ReplicaWithQuorum state. In this state, access request workflow is available from any clustered appliance that is online and able to communicate.

TransitioningToPrimary (Only applies to replica appliances in a cluster.)

A transitional state where a replica appliance is being promoted to be the new primary and is not available for access.

 

Wait for operation to complete before logging into appliance.

TransitioningToReplica (Only applies to the primary appliance in a cluster.)

A transitional state where a primary appliance is being demoted to a replica and is not available for access.

 

Wait for operation to complete before logging into appliance.

ShuttingDown

A transitional state where an appliance is shutting down and is not available for access.

 

Wait for appliance to come back online before logging in.

StandaloneReadOnly

State used for replicas unjoined from a cluster or a primary appliance restored from a backup. The appliance can be activated.

 

Log into appliance.

See Activating a read-only appliance for how to activate a Read-only appliance so you can add, delete and modify data, apply access request workflow, and so on.

Unknown

Appliance is broken or in an unknown state.

 

Requires manual intervention to recover.

Go to recovery kiosk to recover. For more information, see Recovery kiosk.

Administrator permissions

To secure control of your IT department's assets (that is, "managed systems"), Safeguard for Privileged Passwords uses a role-based access control hierarchy. Safeguard for Privileged Passwords's various permission sets restrict the amount of control each type of user has.

Note: It is the responsibility of a user with Authorizer Administrator permissions to grant administrator permissions to other Safeguard for Privileged Passwords users; however, the User Administrator can grant Help Desk Administrator permissions to non-administrative users.

Administrator permissions include:

Appliance administrator permissions

The appliance administrator is responsible for configuring and maintaining the appliance, including the following tasks:

  • Racks and stacks the appliance
  • Configures the appliance.
  • Troubleshoots performance, hardware, and networking.
  • Creates and monitors the status of a clustered environment.
  • Manages licenses, certificates, backups, and sessions settings.
  • Enables and disables access request and password management services.
Table 254: Appliance administrator: Permissions
Navigation Permissions

Activity Center

View and export appliance activity events.

Administrative Tools | Toolbox

Access to the Tasks pane.

Administrative Tools | Settings:

 

  • Access Request | Enable or Disable Services
Enable or disable the access request and password management services.
  • Appliance

Monitor the status of the appliance.

Shutdown or restart the appliance.

Run diagnostics on the appliance.

Enable or disable Lights Out Management (BMC).

Configure networking settings.

Perform a factory reset to recover from major problems or clear the data and configuration settings on the appliance.

Generate a support bundle to assist technical support.

Manage appliance time.

Install update files (patches).

  • Backup and Retention
Configure backup and retention settings, define archive servers, and manage backups.
  • Certificates
Manage the certificates used by Safeguard.
  • Cluster

Create and manage a clustered environment.

Monitor the status of the clustered environment.

Diagnose cluster members.

  • External Integration

Configure Approval Anywhere service for access request approvals.

Configure Safeguard for Privileged Passwords to send event notifications to external systems.

Configure identity providers and authentication providers.

Configure Safeguard for Privileged Passwords to send SNMP traps to the SNMP console.

Join Safeguard for Privileged Passwords to Starling.

Configure Safeguard for Privileged Passwords to send event notifications to a syslog server.

Configure the integration with an external ticketing system.

  • Licensing
Add and manage Safeguard for Privileged Passwords module licenses.
  • Messaging

Configure login notifications.

Set message of the day.

  • Safeguard for Privileged Passwords Access | Login Control
Configure the user login control settings.
  • Sessions

Configure session recording storage management.

Configure the sessions module settings.

Reset the sessions module.

Generate or download an SSH host key.

For external sessions, view the joined appliances, remove them, or modify their configuration.

Related Documents