One Identity Safeguard for Privileged Passwords 2.5 introduces the following new features and enhancements.
When adding a new directory based user group, the Authorizer Administrator or the User Administrator now have the option to:
In addition, any managed directory accounts that exist in Safeguard for Privileged Passwords at the time of the import process (or during the background synchronization of the directory), can automatically be assigned to a Safeguard user as a linked account. That association will be dependent upon the value of an attribute from the directory (such as "managedObjects" or "directReports" in Active Directory or "seeAlso" in OpenLDAP 2.4).
To ensure password consistency and individual accountability for privileged accounts, when an appliance loses consensus in the cluster access requests are disabled. In the event of an extended network partition, the Appliance Administrator can manually place an appliance in Offline Workflow Mode to run access request workflow on that appliance in isolation from the rest of the cluster. When the network issues are resolved and connectivity is reestablished, the Appliance Administrator can manually resume online operations to merge audit logs, drop any in flight access requests, and return the appliance to full participation in the cluster.
It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow Mode. The Appliance Administrator must manually restore the online operations before adding other nodes to ensure the appliance can seamlessly reintegrate with the cluster.
One Identity Safeguard for Privileged Passwords 2.6 introduces the following new features and enhancements.
To reduce potential downtime, the Appliance Administrator can configure Offline Workflow Mode to be performed automatically. Offline Workflow Mode allows an appliance that has lost consensus (quorum) to operate in isolation from the cluster to process access requests using cached policy data.
To ensure the outage is not a short-lived outage, the default time before the appliance is automatically switched to Offline Workflow Mode is 15 minutes. The time threshold can be changed to 5 minutes or more.
If automatic Offline Workflow Mode is enabled, you can enable automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. The minutes to wait after consensus is restored before automatically resuming online workflow defaults to 15 minutes. The time threshold can be changed to 5 minutes or more.
When Offline Workflow Mode settings are configured to run automatically, an Appliance Administrator can override the automatic settings and manually place an appliance in Offline Workflow Mode or manually restore an appliance to online workflow, as needed.
The user views status messages that clearly communicate the appliance state and the ability to request passwords.
This new feature is available via Settings | Cluster | Offline Workflow.
Administrators and users can export a report to a .csv or .json file to easily view, manipulate, and share data. This functionality includes entitlement reports, Activity Center exports, Activity Center scheduled reports, account automation reports, and access request reports.
To enable users to have a centralized logon experience, an Appliance Administrator can configure their identity provider to redirect to Safeguard for Privileged Passwords. All security requirements, such as two-factor authentication, are enforced. For example, a user can go to a portal, authenticate against their identity provider, and select an application, including Safeguard, based on their organizational role. Safeguard accepts the “unsolicited” SAML 2.0 response assertion and logs in the user without additional authentication.
Systems Integrators can offer Safeguard as an application in their single sign-on (SSO) portal. Support personnel can then click the appropriate tool on their dashboard to access Safeguard for Privileged Passwords and Safeguard for Privileged Sessions.
This feature only works with SAML 2.0 and the web user interface, not the desktop client.
A Policy Administrator can create a policy that allows a user's password request to include access to assets for all the accounts linked to the user's account. For example, if a company uses personal admin accounts in Active Directory, a single policy can be created to grant password access to each user with a personal admin account.
This function is set by selecting the following check box: Entitlements | Access Request Policy | Access Config | Allow password access to linked accounts.
An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 126.96.36.19958. Only the data is restored; the running version is not changed.
If the administrator attempts to restore a version earlier than 188.8.131.5258, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '184.108.40.20658' for restore.
You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version].
The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.
The Asset Administrator or delegated administrator can configure service discovery jobs to scan Windows assets and discover Windows services and tasks that may require authorization credentials. If the Windows asset is joined to a Windows domain, the authorization credentials can be local on the Windows asset or be Active Directory credentials.
Running Service Discovery jobs
Service discovery jobs run automatically in the background or may be manually run.
Discovered services and tasks association to known Safeguard accounts
Service discovery jobs associate Windows services and tasks with accounts that are already managed by Safeguard for Privileged Passwords. The accounts put under management display on the Partitions | Discovered Services tab as Managed. When the account's password is changed by Safeguard, Safeguard updates the password corresponding to the services or tasks on the asset according to the asset's profile change settings.
Service Discovery with Active Directory
A discovered service or task configured to use Active Directory authentication can be automatically linked to the asset with the account managed by Safeguard. Effectively, the asset will have an account dependency on the account.
To automatically link, the Account Discovery job (which runs when Safeguard synchronizes the directory) must have the Automatically Manage Found Accounts check box selected on the Discovery tab. The Directories | General tab designates the directory profile to govern the accounts the discovery job adds to Safeguard.
The administrators can view the Partitions | Discovered Services tab to identify unmanaged accounts that they may want to manage to require authentication for local users or Active Directory users, if the asset is joined to a domain. For more information, see Adding an account.
View Service Discovery job status
From the Activity Center, you can select the Activity Category named Service Discovery Activity which shows the Event outcomes: Service Discovery Succeeded, Service Discovery Failed, or Service Discovery Started.
CAUTION: To play back sessions, the new Desktop Player must be installed for one user or system-wide users after installing Safeguard for Privileged Passwords 2.6 or later.
When Safeguard for Privileged Passwords 2.6 or later is installed, the existing Desktop Player is removed and the latest Desktop Player must be installed.
Once Safeguard for Privileged Passwords is installed, the new player can be accessed by going to the Windows Start menu, Safeguard folder and clicking Download Safeguard Player. The One Identity Safeguard for Privileged Sessions - Download Software web page displays.
To continue the installation for one or system-wide users, follow the Install Safeguard Desktop Player section of the player user guide found here:
User experience if the Desktop Player is not installed
If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes and will be taken to the download page to complete the install.
New Desktop Player versions
When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.
Safeguard for Privileged Passwords sets a default time zone based on the location and culture of the person performing the set up. The time zone is expressed as UTC + or – hours:minutes and is used for timed access (for example, access from 9 am to 5 pm). It is recommended that the Bootstrap Administrator set the desired time zone on set up. An Authorizer Administrator can also change the time zone.
Time zone changes are made via Settings | Safeguard Access | Time Zone and selecting the Default User Time Zone.
One Identity Safeguard for Privileged Passwords 2.7 introduces the following new features and enhancements.
CAUTION: The embedded sessions module in Safeguard for Privileged Passwords version 2.7 will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
Managing sessions via the Safeguard Sessions Appliance is now available for use in production. For this release, the embedded sessions module for Safeguard for Privileged Passwords is still available.
The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa.
Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.
Session recording, playback, and storage
Safeguard for Privileged Passwords join guidance
Before initiating the join, review the steps and considerations in the join guidance.
Safeguard for Privileged Sessions join steps and troubleshooting
The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
The following information summarizes the changes at a high level. For more information specific for your initial deployment of Safeguard for Privileged Passwords 2.7, see the Safeguard for Privileged Passwords Administration Guide,
Safeguard for Privileged Passwords version 2.7, has been simplified to allow for a separation of duties based only on identity management, asset management, access policy configuration, and appliance maintenance. In the migration to version 2.7, greater flexibility is realized through these high-level assignments:
The following information details the changes from version 2.6 to version 2.7. The same information is generally true if you are upgrading from version 2.1 forward to version 2.7.
During the migration to version 2.7, directories are migrated as an asset with the appropriate identity provider and associated users.
Directories can be subdivided so administrators can be assigned to manage portions of a directory. For example, Admin A might only manage objects in the Finance organizational unit (OU) of the directory and Admin B might only manage objects in the Engineering OU of the directory. This is possible via the settings on Assets including the asset Name, Domain Name, and whether to Manage Forest. This way, multiple assets can govern the same domain.
Directory accounts can be service accounts to other assets to run windows services/tasks on assets to keep password changes in sync.
Asset Administrators and delegated partition owners can create Account Discovery jobs to perform the functions in the following list:
Immediately check and change the password of discovered accounts that are set to be automatically managed. This places the account under immediate management rather than waiting for the schedule to execute.
NOTE: In Settings | Profile, the partition profile's Change Password Schedule and Check Password Schedule must both be set to a value other than Never.
From the Activity Center, you have the option to choose All entities (such as users, assets, and accounts) without picking all of them. You can export the report without first previewing the report.
An Asset Administrator responsible for Oracle database servers can use the SYS account with either SYSDBA or SYSOPER system privileges as a service account.
The SYS account is automatically created when the administrator installs Oracle and has the necessary privileges. See the Oracle document, About Administrative Accounts and Privileges, for more information. The SYS user is automatically granted the SYSDBA privilege on installation and can be SYSOPER. For more details, see the Oracle document, SYSDBA and SYSOPER System Privileges.
This is set via setting the Service Name when you add or edit an asset. Navigate to Administrative Tools | Assets | Connection tab.
Asset Administrators are now given:
In addition, SSH keys are now auto-accepted for supported platforms.
An Asset Administrator responsible for an AS400 and mainframe infrastructure (such as ACF2 or RACF) can manage servers customized log in screens and connection strings.
A custom platform author can create a customer platform script to check and change passwords against servers where the login screens and connection strings have been customized.
An Asset Administrator responsible for Microsoft SQL Server can have Safeguard for Privileged Passwords connect to the databases using TCP/IP rather than named pipes.
A Policy Administrator can add multiple directory accounts to a single access request policy. For example, you can grant access to a Windows asset via RDP using one of multiple directory accounts. Accounts are added when you create or edit an access request policy via the Administrative Tools | Entitlements | Access Request Policies | Directory Account option.
The User Administrator is offered two new configuration controls on Settings | External Integration | Identity and Authentication when Radius is selected as the provider.
The User Administrator can choose to mask the Radius secondary authentication response entered by users by selecting the Always Mask User Input check box. If selected, the text box that the user enters their one-time password, or other challenge required by the Radius server, will always be a password style text box in which the user's input is masked and appears as a series of dots, not as clear text. This may be desired when the challenge is not just a one-time password, but also contains the user's PIN. This will prevent any passer-by from seeing the private information. Note, however, that when this setting is enabled, it will also override the Prompt attribute of the Radius server's Access-Challenge response, such that the user's input will always be masked.
The User Administrator can choose to have the Radius secondary authentication pre-submit an Access-Request message to the Radius server in order to initiate a challenge/response cycle before the user sees or enters any information. The PreAuthenticate for Challenge/Response check box is used to indicate whether an Access-Request call containing only the User-Name should be sent to the Radius server prior to the user's authentication attempt. This is done to inform the Radius server of the user's identity so the server can possibly begin the authentication process by starting a challenge/response cycle. This may be required to seed the user's state data. In addition, the Radius server's response may include a login message that is to be displayed, which is specific to that user. Note, if the Radius server is not configured to respond with an Access-Challenge, then this will cause the log in to fail and the user will be unable to proceed.
In addition, the timeout for log in is now configurable to more than 60 seconds.
One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.
Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support.
Security and backups
To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. Recommendations:
Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT.
To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Additionally, to ensure the security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.
When registering a third-party application configured for credential retrieval, the Policy Administrator can make the registration, including the API keys, visible to the certificate user that is configured for the A2A registration. The third-party application can discover the API key and other information needed. The Visible to certificate user check box can be selected when adding an application registration via Administrative Tools | Settings | External Integration | Application to Application.
Custom HTTP, SSH, telnet, and TN3270 transports are available. For more information, see Safeguard for Privileged Passwords Administration Guide,
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.
Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:
Writing a custom platform script:
Example scripts platform scripts are available at this location:
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.
Separate password complexity rules can be set for local users and managed accounts. Password rules can be finely managed.
Passwords are validated against the password rules before they are saved.
An Appliance Administrator can finely tune backup and password check and change job schedules including the ability to ensure changes occur after hours. The administrator can create time windows including start and end times, days of the week, and days in a month by a static day of month or the first through fourth day of the month.
CAUTION: This functionality supports Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. For information, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
The Safeguard for Privileged Passwords (SPP) Asset Administrator can enable an SPS initiated session to get the session credentials from SPP.
The administrator will navigate to Administrative Tools | Settings | External Integration | Sessions Management and set the Session Module Password Access Enabled toggle on or off. When the toggle is on (), SPS has the ability to create an access request and check out a password from SPP on behalf of another user. When the toggle is switched off (), this ability is revoked.
CAUTION: On the Session Settings tab, SPS Connection Policy, do not select Sps initiated unless you have SPS version 6.2.0 or later installed. This is used when an access policy is used by SPS to create an SPS initiated access request.
System integrators designing privileged account access based on ServiceNow tickets can include ticket types for validation during access request workflow. The following tickets types are supported in addition to INC tickets:
If the ticket number is found in any of the ServiceNow tables searched (INC, CHG, RITM, or PRB) and the ServiceNow API property for the ticket is "Active", the user can make the access request.
Administrators can search by a ticket number in the Activity Center to find the access request.