Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Attributes tab

Use the Administrative Tools | Directories | Attributes tab to synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.

The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.

To map the Safeguard for Privileged Passwords properties to different directory attributes

  1. Browse to select one or more object classes for the users, computers, and groups categories.

    Note: You can use or remove the default object class.

  2. If you do not want to use the default property, begin typing in the property box. Safeguard for Privileged Passwords' auto-complete feature immediately displays a list of attributes to choose. Safeguard for Privileged Passwords only allows you to choose attributes that are valid for the object classes you have selected for users, groups, and computers.
  3. Once you have set all the properties, click Add Directory.

The following tables list the default directory attributes.

Table 97: Default directory attributes
Safeguard for Privileged Passwords Attribute Directory Attribute
Users
Object Class

Browse to select a class definition that defines the valid attributes for the user object class.

Default: user for Active Directory, inetOrgPerson for LDAP

User Name

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

First Name

givenName

Last Name

sn

Work Phone

telephoneNumber

Mobile Phone

mobile

Email

mail

Description

description

External Federation Authentication

The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS).

For both Active Directory and OpenLDAP 2.4, this will default to the "mail" attribute.

NOTE: This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication.

For more information, see Adding a directory user group.

Radius

Authentication

The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication.

For Active Directory, this will default to using the "samAccountName" attribute. For OpenLDAP 2.4, this will default to using the "cn" attribute.

NOTE: This is only used when processing members of a directory user group in which the group has been configured to use Radius as either the primary or secondary authentication provider.

For more information, see Adding a directory user group.

Managed Objects

The directory attribute used when automatically associating existing managed Directory Accounts to users of a directory user group as linked accounts. For information on managing Directory Accounts, see Adding directory accounts to a directory.

Defaults:

  • For Active Directory, this defaults to "managedObjects". However, you may want to use the "directReports" attribute based on where you have the information stored in Active Directory.
  • For OpenLDAP 2.4, this defaults to the "seeAlso" attribute.

When choosing an attribute, it must exist on the user itself and contain one or more "Distinguished Name" values of other directory user objects. For example, you would not want to use the "owner" attribute in OpenLDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an “owns” attribute to exist on the user such as the default "seeAlso" attribute.

For more information, see Adding a directory user group.

Computers
Object Class

Browse to select a class definition that defines the valid attributes for the computer object class.

Default: computer for Active Directory, ipHost for LDAP

Name

cn

Network Address

dNSHostName for Active Directory, ipHostNumber for LDAP

Operating System

operatingSystem for Active Directory

Operating System Version

operatingSystemVersion for Active Directory

Description

description

Groups
Object Class

Browse to select a class definition that defines the valid attributes for the group object class.

Default: group for Active Directory, groupOfNames for LDAP

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Description

description

Checking a directory's connectivity

After you add a directory you can verify that Safeguard for Privileged Passwords can log into it using the Check Connection option.

Note: When you run Connect from the directory's General tab (such as when you add the directory initially), you must enter the service account credentials. Once you add the directory to Safeguard for Privileged Passwords it saves these credentials.

The Check Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log into that asset.

To check a directory’s connectivity

  1. Navigate to Administrative Tools | Directories.
  2. From Directories, right-click a directory to open its context menu.

  3. Choose the Check Connection option.

    Safeguard for Privileged Passwords displays a Toolbox task pane that shows the results.

Related Topics

About Test Connection

About service accounts

Adding directory accounts to a directory

This topic explains how to add a directory account to a directory. Safeguard for Privileged Passwords also allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.You must add a directory to Safeguard for Privileged Passwords before you can add directory accounts.

Ensure that you add accounts that you want Safeguard for Privileged Passwords to manage. If you add directory user accounts to a directory, Safeguard for Privileged Passwords will automatically change the user passwords according to the directory profile schedule you set which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.

IMPORTANT: The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

To add directory accounts to a directory

  1. Navigate to Administrative Tools | Directories.
  2. In Directories, select a directory from the object list and open the Accounts tab. The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.
  3. Click Add Account from the details toolbar.
  4. In the Find Accounts dialog, Browse to select a container within the directory as the Filter Search Location.
  5. The Include objects from sub containers check box is selected by default indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.
  6. In the Contains field, enter a full or partial account name and click Search.

    To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad" in the Contains box, it will find any user Name or Distinguished Name that contains "ad". The text search is not case sensitive and does not allow wild cards.

  7. The results of the search displays in the Select the Account(s) to Add grid. Select one or more accounts to add to Safeguard for Privileged Passwords.
  8. Browse to select the Directory Profile you want to govern the accounts you added to Safeguard for Privileged Passwords.
  9. Click:
    1. OK to add the selected accounts to Safeguard for Privileged Passwords.

      -OR-

    2. Reoccur to configure a directory account discovery job using the search criteria. For more information, see Managing directory account discovery jobs.
Related Topics

Adding account dependencies

Adding a directory

Adding accounts to a directory profile

Managing directory account discovery jobs

Safeguard for Privileged Passwords allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.

To setup a directory account discovery job

  1. Navigate to Administrative Tools | Directories.
  2. From Directories select a directory from the object list and open the Accounts tab
  3. Click  Manage Discovery from the details toolbar.
  4. In the Manage Discovery dialog, click  Add to open the Directory Account Discovery dialog.

    Note: This dialog also opens when you select Reoccur in the Find Accounts dialog. For more information, see Adding directory accounts to a directory.

  5. Add information to these tabs:
    General tab

    Where you enter the directory account discovery job name and designate the directory profile to govern the accounts the discovery job adds to Safeguard for Privileged Passwords.

    Rules tab

    Where you configure the search criteria for the discovery job.

Related Documents