It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account and service discovery job workflow.
|
Note: Safeguard for Privileged Passwords supports account discovery on the following platforms:
|
To add an asset account discovery setting
Name: Enter a name for the account discovery setting.
Limit: 50 characters
Required
Description: Enter descriptive text about the account discovery setting.
Limit: 255 characters
Schedule: Click the Schedule button and choose an interval.
In the Schedule dialog,
Interval: Choose Never, Minute, Hour, Day, Week, or Month.
|
NOTE: Best Practice: Do not use the Minute interval. |
When you select the Find account based on rules option in the Account Discovery Settings dialog, Safeguard for Privileged Passwords displays a list of discovery rules configured for this partition and allows you to add a new rule.
|
Note: Account discovery is not available for Macintosh OS X platforms. |
|
Note: All search terms return exact matches. A user name search for "ADM" only returns "ADM", not "AADMM" or "1ADM2". To find all names that contain "ADM", you must include ".*" in the search term; like this: .*ADM.*. All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with "adm", regardless of case, you must enter [Aa][Dd][Mm].*. |
To add an asset account discovery rule
|
Note: For information about how to find this option, see Adding an asset account discovery setting. |
Name |
Enter a unique name for the account discovery rule. Limit: 50 characters Required | ||
RID |
Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1000, enter 5000-7000, then enter 10000.
Limit: 255 numeric characters | ||
GID |
Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 8, enter 10-12, then enter 15.
Limit: 255 numeric characters | ||
UID |
Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1, enter 5-7, then enter 10.
Limit: 255 numeric characters | ||
Name |
Enter a single regular expression pattern.
Limit: 255 alphanumeric characters | ||
Group |
Enter a single regular expression pattern.
Limit: 255 alphanumeric characters |
The Assets dialog displays a list of assets assigned to this partition based on the criteria you set in this rule.
The Accounts dialog displays a preview list of the all the accounts that meet the rule's criteria.
Safeguard for Privileged Passwords adds the new rule to the Account Discovery Settings dialog.
When Safeguard for Privileged Passwords runs the discovery job, according to the schedule you have set, it displays the accounts it finds on the partition's Discovered Accounts tab.
The Asset Administrator adds a custom platform which includes uploading the custom platform script with the platform's commands and details. Auditors and Partition Administrators have read only rights. Custom platforms are global across all partitions. The custom platform can be selected when adding or updating an asset.
|
NOTE: Only SSH-based custom platforms are supported in Safeguard for Privileged Passwords 2.4. Other protocols will be added in the future. |
Create and manage custom platforms in Administrative Tools | Settings | Asset Management | Custom Platforms.
The Custom Platform pane displays the following.
Property | Description |
---|---|
Name |
The name of the platform type which may be a product name. |
Version |
The version of the operating system to use as an identifier. |
Architecture |
The CPU architecture to use as an identifier. |
Platform Script |
The name of the custom platform script file displays once selected. |
Allow Sessions Requests |
If selected, session access requests are allowed. |
Use the following toolbar buttons to manage the custom platform settings.
Option | Description | ||
---|---|---|---|
Add a custom platform. For more information, see Adding a custom platform. | |||
Remove the selected custom platform.
| |||
Update the list of custom platforms. | |||
|
View the custom platform script parameters including:
| ||
A custom platform script identifies the platform's commands and associated details. Scripts are written in JSON. Scripts include meta-data, parameters, function blocks, operations, and if/then constructs to authenticate to the platform and perform password validation and reset. The custom platform script is uploaded when adding the custom platform.
Sample custom platform scripts and command details are available at the following links:
Writing a custom platform script for SSH:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/WritingACustomPlatformScript
Example Linux Script:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/ExampleLinuxScript
Command-Reference:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/Command-Reference
|
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms. |
During development, check your JSON using a validator like the one at this link: https://jsonlint.com/
The ExampleLinuxScript.json is an example of a custom platform script that can be adapted to work against an asset running Linux.
The script has meta-data including “Id” and “Backend”. “Id” is a unique name to identify the script. “Backend” will always be set to “Scriptable”.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy