Introduction
System requirements
Desktop client system requirements
Web client system requirements
Web management console system requirements
Supported platforms
Product licensing
Using the virtual appliance and web management console
Installing the desktop client
Setting up Safeguard for Privileged Passwords for the first time
Step 1: Create the Authorizer Administrator
Step 2: Authorizer Administrator creates administrators
Step 3: Appliance Administrator configures the appliance
Step 4: User Administrator adds users
Step 5: Asset Administrator adds managed systems
Step 6: Security Policy Administrator adds access request policies
The console
Navigation pane
Home
Search box
Dashboard
Activity Center
Privileged access requests
Applying search criteria
Saving search criteria
Generating an activity audit log report
Scheduling an activity audit log report
Editing or deleting a saved search or scheduled report
Viewing event details
Auditing request workflow
Filtering report results
Sorting report results
Reports
Administrative Tools
Creating, editing, or removing a favorite request
Configuring alerts
Password release request workflow
Toolbox
Accounts
Requesting a password release
Approving a password release request
Reviewing a completed password release request
Session request workflow
General tab (account)
Access Request Policies tab (account)
Account Groups tab (account)
Dependent Assets (account)
Check and Change Log tab (account)
History tab (account)
Managing accounts
Account Groups
General tab (account group)
Accounts tab (account group)
Access Request Policies tab (account group)
History tab (account group)
Managing account groups
Assets
Adding an account group
Adding a dynamic account group
General tab (add dynamic account group)
Account Rules tab (add dynamic account group)
Summary tab (add dynamic account group)
Adding one or more accounts to an account group
Adding accounts to an access request policy
Modifying an account group
Deleting an account group
General tab (asset)
Accounts tab (asset)
Account Dependencies tab (asset)
Access Request Policies tab (asset)
Asset Groups tab (asset)
Discovered Services tab (asset)
History tab (asset)
Managing assets
Asset Groups
Adding an asset
General tab (add asset)
Management tab (add asset)
Account Discovery tab (add asset)
Connection tab (add asset)
Checking an asset's connectivity
Assigning an asset to a partition
Assigning a profile to an asset
Manually adding a tag to an asset
Adding an account to an asset
Adding account dependencies
Adding an asset to asset groups
Modifying an asset
Deleting an asset
Importing objects
Downloading a public SSH key
About service accounts
About Test Connection
SSH Key
Directory Account
Local System Account
Password (local service account)
Access Key
None
Attributes tab (add asset)
General tab (asset group)
Assets tab (asset group)
Access Request Policies tab (asset group)
History tab (asset group)
Managing asset groups
Discovery
Asset Discovery
Entitlements
Asset Discovery job workflow
Adding an Asset Discovery job
Asset Discovery Results
Account Discovery
General tab (asset discovery)
Information tab (asset discovery)
Rules tab (asset discovery)
Editing an Asset Discovery job
Deleting an Asset Discovery job
Add Condition (asset discovery)
Edit Connection Template (asset discovery)
Add Asset Profile (asset discovery)
Schedule tab (asset discovery)
Summary tab (asset discovery)
Account Discovery job workflow
Adding an Account Discovery job
Editing an Account Discovery job
Deleting an Account Discovery job
Account Discovery Results
Discovered Accounts
Service Discovery Results
Discovered Services
General tab
Users tab
Access Request Policies tab
History tab
Managing entitlements
Partitions
Adding an entitlement
Creating an access request policy
General tab
Scope tab
Requester tab
Approver tab
Reviewer tab
Access Config tab
Session Settings tab
Time Restrictions tab
Emergency tab
Adding users or user groups to an entitlement
Deleting an access request policy
Modifying an access request policy
Copying an access request policy
Viewing and editing policy details
Modifying an entitlement
Deleting an entitlement
About profiles
General tab (partitions)
Assets tab (partitions)
Accounts tab (partitions)
Profiles tab (partitions)
History tab (partitions)
Managing partitions
Settings
Access Request settings
Appliance settings
Users
Appliance Diagnostics
Appliance Information
Enable or Disable Services (Application to Application service)
Factory Reset from the desktop client
Licensing
Lights Out Management (BMC)
Network Diagnostics
Networking
Operating system licensing
Support Bundle
Time
Updates
Asset Management settings
Backup and Retention settings
Certificate settings
About certificates
Audit Log Signing Certificate
Certificate Signing Request
Sessions Certificates
Cluster settings
External Integration settings
Installing a sessions certificate
Creating a Certificate Signing Request for Sessions
Resetting to use default certificate
SSL Certificates
Installing an SSL certificate
Creating a Certificate Signing Request (CSR)
Assigning a certificate to appliances
Trusted Certificates
Application to Application
Messaging settings
Profile settings
Safeguard Access settings
Sessions settings
About Application to Application functionality
Adding an application registration
Deleting an application registration
Regenerating an API key
Setting up Application to Application
Making a request using the Application to Application service
Approval Anywhere
Email
Identity and Authentication
SNMP
Starling
Syslog
Ticketing
General tab (user)
User Groups tab (user)
Partitions tab (user)
Entitlements tab (user)
Linked Accounts tab (user)
History (user)
Managing users
User Groups
Adding a user
Identity tab (add user)
Authentication tab (add user)
Location tab (add user)
Permissions tab (add user)
Requiring secondary authentication log in
Adding a user to user groups
Assigning a user to partitions
Adding a user to entitlements
Linking a directory account to a user
Modifying a user
Enabling or disabling a user
Deleting a user
Importing objects
Setting a local user's password
Unlocking a user's account
General tab (user groups)
Users tab (user groups)
Entitlements tab (user groups)
History tab (user groups)
Managing user groups
Disaster recovery and clusters
Enrolling replicas into a cluster
Unjoining replicas from a cluster
Maintaining and diagnosing cluster members
Administrator permissions
About Offline Workflow Mode
Failing over to a replica by promoting it to be the new primary
Activating a read-only appliance
Diagnosing a cluster member
Patching cluster members
Using a backup to restore a clustered appliance
Resetting a cluster that has lost consensus
Performing a factory reset
Unlocking a locked cluster
Troubleshooting tips
Appliance Administrator permissions
Asset Administrator permissions
Auditor permissions
Authorizer Administrator permissions
Help Desk Administrator permissions
Operations Administrator permissions
Security Policy Administrator permissions
User Administrator permissions
Preparing systems for management
Prepare ACF - Mainframe systems
Prepare Amazon Web Services platforms
Prepare Cisco devices
Prepare Dell iDRAC devices
Prepare ESXi VMware hosts
Prepare Facebook hosts
Prepare Fortinet FortiOS devices
Prepare F5 Big-IP devices
Prepare HP iLO servers
Prepare HP iLO MP (Management Processors)
Prepare IBM i (AS/400) systems
Prepare JunOS - Juniper Networks systems
Prepare MongoDB
Prepare MySQL servers
Prepare Oracle databases
Prepare PAN-OS (Palo Alto) networks
Prepare PostgreSQL
Prepare RACF - Mainframe systems
Prepare SAP HANA
Prepare SAP Netweaver Application Servers
Prepare Sybase (Adaptive Server Enterprise) servers
Prepare SonicOS devices
Prepare SonicWALL SMA or CMS appliances
Prepare SQL Servers
Prepare Top Secret - Mainframe systems
Prepare Unix-based systems
Prepare Windows systems
Troubleshooting
Anti Cross-Site Request Forgery token error
Connectivity failures
Frequently asked questions
Change password fails
Incorrect authentication credentials
Missing or incorrect SSH host key
No cipher supported error
Service account has insufficient privileges
Cannot connect to remote machine through SSH or RDP
Cannot delete account
Cannot play session message
Domain user denied access to Safeguard for Privileged Passwords
LCD status messages
My Mac keychain password was lost
Password fails for Unix host
Password is pending review
Profile did not run
Recovery kiosk
Replica not adding
System services did not update or restart after password change
Test Connection failures
Test Connection failures on archive server
Certificate issue
Cipher support
Domain controller issue
Networking issue
Windows WMI connection failure
Timeout errors causing operations to fail
User locked out
User not notified
How do I access the API
How do I audit transaction activity
How do I configure external federation authentication
Appendix A: Safeguard ports
Appendix B: SPP 2.7 or later migration guidance
Appendix C: SPP and SPS join guidance
Appendix D: Historical changes by release
How do I add an external federation provider trust
How do I create a relying party trust for the STS
How do I add an external federation user account
How do I manage accounts on unsupported platforms
How do I modify the appliance configuration settings
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
How do I set up telnet and TN3270/TN5250 session access requests
How do I set the appliance system time
How do Safeguard for Privileged Passwords database servers use SSL
What are the access request states
What do I do when an appliance goes into quarantine
What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module
What role-based email notifications are generated by default
Verifying syslog server configuration
When does the rules engine run for dynamic grouping and tagging
Why did the password change during an open request
What's new in version 2.1
What's new in version 2.2
What's new in version 2.3
What's new in version 2.4
What's new in version 2.5
What's new in version 2.6
What's new in version 2.7
What's new in version 2.8
What's new in version 2.9
Glossary
Auditor permissions
The Auditor administrator has read-only access to all features, giving him the ability to review all access request activity:
- Monitors appliance information.
- Reviews everything.
- Exports object history.
- Runs entitlement reports.
| Navigation | Permissions |
|---|---|
|
Dashboard |
View only. |
|
Activity Center |
View and export activity events. Audit access request workflow. |
|
Reports |
View and export entitlement reports. |
|
Administrative Tools | Toolbox |
Access to all Administrative Tools views and the Tasks pane. |
|
Administrative Tools | Accounts |
View only. |
|
Administrative Tools | Account Groups |
View only. |
|
Administrative Tools | Assets |
View Asset Discovery jobs. |
| Administrative Tools | Asset Groups | View only. |
|
Administrative Tools | Entitlements |
View only. |
|
Administrative Tools | Partitions |
View only. |
|
Administrative Tools | Settings: |
|
|
View only. |
|
View Appliance Information. Run diagnostics on appliance. View licensing information. View Lights Out Management (BMC) settings. View Networking settings. View Time settings. View update history. |
|
View only. |
|
View only. |
|
View only. |
|
View only. |
|
View only. |
|
Login notification: View only. Set message of the day. |
|
View only. |
|
View only. |
|
View only. |
|
Administrative Tools | Users |
View only. |
|
Administrative Tools | User Groups |
View only. |
Authorizer Administrator permissions
The Authorizer Administrator is the "permissions" administrator and performs the following:
- Creates (or imports) Safeguard for Privileged Passwords users.
- Grants administrator permissions to users.
- Sets passwords, unlocks, and enables or disables both local and directory user accounts.
- Creates and maintains the Password Rule.
|
|
NOTE: Also has User Administrator and Help Desk Administrator permissions. |
|
|
Important: Authorizer Administrators can change the permissions for their own account which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in. |
| Navigation | Permissions |
|---|---|
|
Activity Center |
View and export user activity events, including authentication events. |
|
Administrative Tools | Toolbox |
Access to the Users and User Groups view. Access to Tasks pane. |
|
Administrative Tools | Settings |
|
|
View only of directories used for identity and authentication. External Federation and Radius providers can be configured for authentication use. |
|
Login notification: View only. Set message of the day. |
|
View only. |
|
Configure user password rules. |
|
Set default time zone. |
|
Administrative Tools | Users |
Add, modify, delete, and import users. Set administrator permissions. Set passwords and unlock administrator accounts. Delete administrator users. Enable or disable administrator users. |
|
Administration Tools | User Groups |
Add or delete directory groups, if a directory has been added to Safeguard for Privileged Passwords. |
Help Desk Administrator permissions
A Help Desk Administrator:
- Sets passwords for non-administrative user accounts.
-
Unlocks accounts for all user accounts.
|
|
NOTE: Help Desk Administrators can only view the user object history for their own account. |
| Navigation | Permissions |
|---|---|
| Activity Center | View and export user activity events. |
|
Administrative Tools | Toolbox |
Access to the Users view and the Tasks pane. |
| Administrative Tools | Settings: | |
|
Login notification: View only. Set message of the day. |
|
View only. |
|
CView only. |
|
View only. |
|
Administrative Tools | Users |
Set passwords and unlock accounts for non-administrator users. |
Operations Administrator permissions
The Operations Administrator monitors the status of the appliance and can reboot the appliance.
|
|
NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system. |
| Navigation | Permissions |
|---|---|
|
Activity Center |
View and export appliance activity events. |
| Administrative Tools | Toolbox | Access to the Tasks pane. |
| Administrative Tools | Settings: |
|
|
View only. |
|
Shutdown or restart the appliance. Run diagnostics on the appliance. Generate a support bundle to assist technical support. View licensing information. View Networking settings. View Time settings. View update history. |
|
Configure backup and retention settings, define archive servers, and manage backups. |
|
View only. |
|
View only - monitor the status of the clustered environment. |
|
View only. |
|
Login notification: View only. Set message of the day. |
|
View only. |
|
View only. |