Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering as well as other other internal challenges. The appliance diagnostics package is available from the web support kiosk, not the serial kiosk. The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria which may include the minimum Safeguard version, appliance ID, and expiration timestamp UTC. New product code and database changes are not included in an appliance diagnostics package.
Safeguard for Privileged Passwords (SPP) is enhanced to more easily use Safeguard for Privileged Sessions (SPS) for session recording and playback.
Appliance Administrators can also identify managed networks by the host name and IP address of the cluster master. Navigate to Administrative Tools | Settings | Cluster | Managed Networks and view Sessions Managed By.
Policy Administrators can identify the host name and IP address of the SPS cluster master from which policies originate. A Warning icon displays if a policy is not functional. Navigate to Administrative Tools | Entitlements | Access Request Policies | Session Settings tab and view the SPS Connection Policy.
Users and administrators receive timely notification if an access request will not result in a launchable session request. The notifications identify details such as:
Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording.
A new secondary authentication type, FIDO2, is now supported and can be assigned to any Safeguard for Privileged Passwords user, providing they have at least one compatible FIDO2 authenticator security key. After being configured by a User Administrator, a Safeguard for Privileged Passwords user will be prompted to register their FIDO2 authenticator security key at next login. For more information, see Requiring secondary authentication log in.
Users are then responsible for managing their own FIDO2 authenticator keys, including registering additional keys for backup purposes, viewing, renaming, or deleting unused keys. For more information, see User information and log out.
Any FIDO/FIDO2 authenticator that supports the WebAuthn standard can be used for two-factor authentication, this includes some older U2F authenticator security keys. Safeguard for Privileged Passwords does not use or require any authenticator attestation data. User verification, such as PIN or biometric is also not used.
The Appliance Administrator can use Hyper-V as the virtual target environment deployed by importing the Safeguard for Privileged Passwords Hyper-V zip file with the virtual machine settings.
vSphere Hypervisor (ESXi) is enhanced in Safeguard for Privileged Passwords (SPP) 2.9. For SPP 2.9 only, you are required to take a backup of your 2.8.x system and restore it on your SPP 2.9 system. Future versions will not require this action.
Rule-based password request and/or session request for an account. Access can be automatically approved or require one or more approvals. Email or toast notifications can be set.
With the Application to Application service, a third-party application can create an access request on behalf of another user.
Settings that restrict system access. Used to manage access (for example, to a password release request policy or session request policy). Defines the scope (assets, asset groups, accounts, or account groups), the access type (password, SSH, RDP, or telnet), and the rules for password checkout (duration and number of approvals). Entitlements are sets of access request policies.
Enforce when a user can access the account passwords. If there are entitlement and policy time restrictions, the overlapping period is valid.
May be a directory account or service account associated with an asset. An account can only be associated with one asset. Accounts are added to policies for management (for example, to a password release request policy or session request policy). An account may be associated with an entitlement, account group, or both. Also see user.
SPP maintains the passwords for dependent accounts on all the systems that use them (for example, one or more Windows servers use a directory account, such as an Active Directory account, to run services or tasks).
Job with rule-based settings to discover all accounts assigned to the assets in a selected partition, are made available globally, or only the accounts that match the rules criteria. You can automatically manage the found accounts and automatically discover and configure dependent systems. Or, you can manually add the discovered accounts.
A set of accounts that can be added to the scope of an access request policy, which in turn can be associated with an entitlement. See dynamic account group.
Microsoft AD consists of services running on a Windows Server to manage permissions and access to networked resources. AD stores data as objects.
A software component developed by Microsoft that runs on a Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.
The SPP appliance is hardware with pre-installed software to for easy installation. The appliance is hardened to ensure security at the hardware, operating system, and software levels.
Responsible for configuring and maintaining the SPP appliance.
An SPP service where third-party applications can retrieve a credential from SPP to 1) perform automated functions or 2) allow a user to log into SPP to retrieve a password or start a session.
SPP feature where an approver can approve (or deny) access requests through their mobile device.
External physical servers where you store backup files.
A computer, server, network device, directory, or application managed by Safeguard for Privileged Passwords. You can log into an asset with more than one account, but an account (user, group, or service) can only be associated with one asset. All assets must be governed by a partition profile. Assets may be subdivided into subsets for management. For example, a directory asset can manage a subset of the forest.
Manages all partitions, assets, and accounts.
Job with rule-based settings to discover and add assets that are not in SPP. A job can be run against a directory or network (IP range).
A set of assets that can be added to the scope of an access request policy, which in turn is associated with an entitlement. See dynamic asset group.
Can be set to dynamically add tags to assets and asset accounts so the assets and asset accounts can be identified and added to dynamic groups.
Tasks defined and scheduled to purge audit logs from the SPP Appliance and archive older audit logs to a designated archive server.
Used to sign the audit log files saved to an archive server. Proves that the audit logs were created by and came from a particular SPP cluster.
Role with read-only access to all features to review all access request activity.
Authentication is the process of validating an identity provided to a system. For example, a system checks the user’s login name and password. In SPP, a user’s identity provider and authentication provider can be the same or different.
In SPP, any mechanism that a user enters credentials into to prove they are acting on behalf of a specific user or system, but does not necessarily contain any personal information of the user. An authentication provider can be the same as the identity provider (such as Active Directory). See identity provider.
Creates and maintains users, directory groups, directory users, password rules, and passwords. Unlocks and enables or disables local and directory user accounts. Typically unlocks administrator accounts.
Automatic login that never exposes the account credentials to the user.
Used to manage SPP backups and archive servers. SPP encrypts and signs the data before the data is made available for downloading to an off-appliance storage.
A built-in account to use to start up the appliance for the first time. The account is used to create other administrators. The Bootstrap Administrator default password should be changed. All actions are audited.
The authority that issues SSL certificates that are publicly trusted by web browsers. Anyone can issue SSL certificates but the certificates are not automatically trusted by web browsers.
A small file installed on a secure server that digitally binds a cryptographic key to a computer, device, individual, or organization. A certificate is used to establish trust for communication. Certificates contain information identifying the owner of the certificate, the public key, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.
Used to manage the certificates that are used to secure SPP. Some SPP certificates are default and need to be replaced and others are user-supplied certificates.
A special key database file that Digital Certificate Manager (DCM) uses to store digital certificates. In SPP, the certificate store is owned by the cluster. SSL certificates in the store can be added to any appliance in the clustered environment.
For user and service accounts, the rules and process to reset and synchronize the user or service account password with the SPP database. For directory accounts, SPP synchronizes the directory account password provided by an external identity provider, such as Active Directory. Also see check password and set password.
For user and service accounts, the rules and process to verify the account password is in sync with the SPP database. If the password verification fails, you can change the password. Check passwords is associated with a partition. For directory accounts, the rules and process to verify the directory account passwords (such as Active Directory) and synchronize with SPP. Also see change password and set password.
A copy of an existing virtual machine (the parent) that is a separate virtual machine which may share virtual disks with the parent virtual machine.
SPP can manage cloud platform accounts such as Amazon Web Services (AWS).
A set of computers that work together where each replica (node) can perform the same task to enable high availability and load distribution.
A cluster has consensus (quorum) when the majority of the members (primary or replica appliances) are online and able to communicate.
With the SPP (Application to Application service), a third-party application can retrieve credentials from SPP outside the normal workflow.
A CSR is submitted to a certificate authority (CA) to obtain a digitally signed certificate.
A .css file that describes how HTML elements display on screen, paper, or other media. See HTML5.
A file format used with programs that store data in tables, such as Microsoft Excel. CSV stands for "comma-separated values".
Platform added to SPP via uploading a custom platform script. The script may be selected when adding or updating an asset. Custom platforms are global across all partitions.
Used to manage digital certificates on a network and use Secure Sockets Layer (SSL) to enable secure communications for applications.
The access point or IP router that sends information to a computer in another network when no other route specification matches the destination IP address of a packet.
SPP provides a default self-signed SSL certificate for HTTPS assigned to the appliance. This certificate is not a trusted certificate and should be replaced.
One or more users that the Asset Administrator selected to manage the assets and accounts in a partition.
A structure to catalog files and, possibly, other directories. In SPP, the structure and objects from a directory service, such as Active Directory or OpenLDAP, can be imported and synchronized.
An account from an external identity store, such as Microsoft Active Directory, used to authenticate to a managed system (asset).
System to translate human readable information (such as a domain name, website, or other internet-based resource) to the addressing protocols (IP address).
Contains a database of public IP addresses and their associated hostnames and translates the common names to IP addresses.
The name of a network (for example, oneidentity.com).
Account group made up of systematically identified accounts that meet asset account rules, directory account rules, or both. The rules engine runs when you add or change an asset account or an asset account rule.
Asset group made up of systematically identified assets that meet identified rules.
Fault-tolerant volumes that may span multiple disks; flexible volume management with database tracking and replica storage of the dynamic disk database.
A set of access request policies that restrict system access (including rules and schedules), typically by job role. Entitlements are used to authorize users or user groups for accounts in the scope of the access request policies. Entitlements can be associated with one or more profiles.
Controls identifying when an entitlement is in effect (user's time zone). If there are both entitlement and policy time restrictions, the overlapping period is valid.
You can explicitly add an asset to a profile. This overrides the implicit inheritance from the partition so the asset’s profile is no longer determined by the partition. You can explicitly assign an account to a profile the account’s profile is no longer determined the asset.
Operation to recover from major problems or clear appliance data and configuration settings. All data and audit history are removed.
The data format for communicating configuration information between an identity (claims) provider and a relying party. The data format is defined in Security Assertion Markup Language (SAML) 2.0, and it is extended in WS-Federation.
Service provider that mediates between two or more trust domains so users can access applications and services using the same digital identity.
A set of security specifications for strong authentication. FIDO2 supports multifactored authentication, public key cryptography, biometric authentication, and other personally identifying information (PII).
Network logical division that may contain one or more trees and in turn domains made up of objects (computers, users, devices) sharing the same database. The first domain in the forest is called the forest root domain.
A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). For example, given a device with a local hostname myhost and a parent domain name example.com, the fully qualified domain name is myhost.example.com.
A device that connects two or more parts of the network. For example, the device may connect your local intranet and the external network (the internet). Gateways act as entrances to other networks.
GMT is never out of sync with UTC (Coordinated Universal Time) by more than nine tenths of a second so UTC and GMT are virtually equivalent in common usage.
A system that is resilient and likely to operate continuously without failure for a long period of time.
Sets passwords for non-administrative user accounts and unlocks user accounts. The Authorizer Administrator typically unlocks administrator accounts.
A computer connected to the network. A host may offer resources, services, and applications to users or nodes on the network. May have virtualization software (such as ESX or ESXi) to run virtual machines (VMs).
A label assigned a device connected to a network and that is used to identify the device.
Identification happens when a user claims to be a specific system user. For example, a user’s login name and password is used to establish identity. In SPP, a user’s identity provider and authentication provider can be the same or different.
In SPP, the source from which the user’s personal information comes from and is synchronized with. See authentication provider.
When an asset is added, it is added to the default partition and default profile (implicit association/assignment). Accounts inherit the parent asset’s profile. This can be overridden by explicitly assigning an asset to a profile; the asset’s associated accounts are also assigned to the new profile.
Accounts, assets, or users in a Comma Separated Values (CSV) file can be added to SPP’s database. Objects must pass validity tests. Default values may be added during the import.
Unique internet number assigned to each device communicating across the internet. The IP address provides location and identification. See DNS.
The most recent version of the Internet Protocol (IP). See IP address.
A computer programming language commonly used for processing on the web. See HTML5.
A private key and its related public key. The private key is known only to the owner, while the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.
Used to activate systems in the organization’s network so that individual computers do not have to connect to Microsoft for product activation.
A Microsoft Volume Activation 2.0 solution service used to activate volume licensed Microsoft products.
An application protocol for querying and modifying data using directory services running over TCP/IP.
Feature to manage the SPP power state and serial using BMC. This feature is used to power on an appliance remotely or to interact with the recovery kiosk.
An identifier assigned to a network adapter or any device with built-in networking capability (such as a printer). A MAC address is "burned into" the device at the factory (versus an IP address that is assigned later). Also called a hardware address or physical address.
The Apple password management system in Macintosh OS X.
Named lists of network segments serviced by specific SPP Appliances in a clustered environment. Used to distribute the task load by scheduling tasks (for example, password change or asset discovery).
MSI is an installer package file format used to launch Windows-based software installations.
For IPV4, a 32-bit mask used to divide an IP address into subnets and specify the network's available hosts.
Network interface X0 is the primary interface. Proxy server X0 is for relaying web traffic if the devices don't connect to the web.
Network utility program to obtain information about internet servers. It finds name server information for domains by querying the domain name server (DNS).
Protocol to synchronize computer clock times in a network.
Appliance state when the appliance no longer has consensus (quorum) and has been enabled to process access requests using cached policy data. The appliance operates in isolation from the remainder of the cluster.
Monitors the status of the appliance and can reboot the appliance. This role can be a script or external monitoring system.
A subdivision within an Active Directory into which you can place users, groups, computers, and or any other organizational units (for example, functional or business hierarchy.
An OVA file contains a compressed version of a virtual machine (VM) to be installed. When you open an OVA file, the VM is extracted and imported into the virtualization software installed on your computer.
A group of assets (and the assets’ associated accounts) governed by a partition profile and used for delegate asset management. An asset can only be in one partition at a time. All accounts associated with that asset are automatically added to the partition but can be reassigned.
The schedules and rules that are required to govern a partition’s assets and the assets’ accounts. You can set a default partition profile to assign to assets and assets’ accounts. You can manually assign a partition profile to an asset or account.
The requirements for user password authentication, such as uppercase and lowercase letters, numerics, and special characters. Password rules set in SPP apply to local users not users from external providers such as Active Directory.
Used to control password validation and reset across all associated accounts.
A command that sends a message from a host to another host over a network to test connectivity and packet loss.
A number from 1 to 65535 for the destination application of the transmitted data. For example, SSH commonly uses port 22 and web servers (HTTP) commonly use port 443.
One appliance in a cluster where vital data stored on the primary is also stored on replica appliances.
The first authenticating factor for a remote user when two-factor authentication (2FA) is enabled.
In authorizing password check-out, SPP first considers the entitlement priority then considers the priorities of access request policies in the entitlement.
A free and versatile terminal tool for remote access to another computer.
The role-based access control model restricts system access to authorized users based on roles. SPP supports this model.
A Microsoft proprietary protocol that provides graphical user interface to connect to another computer over a network connection.
A string that describes or matches a set of strings.
A service or application, like Safeguard, that receives and accepts a SAML assertion issued by a SAML authority.
Architecture that allows other applications and systems to integrate with diverse systems and applications. SPP’s API is based on a REST architecture.
A certificate issued by a trusted certificate authority (CA) at the top of the trust chain and used to issue intermediate SSL certificates to ensure the security of the system.
An open standard for sharing security information about identity, authentication and authorization across systems. SAML is implemented with the XML standard for sharing data. SAML provides a framework for implementing single sign-on and other federated identity systems.
An access request policies assets, asset groups, accounts, or account groups assignments.
A security protocol for logging into a remote server.
A small physical device that is inserted into a USB drive. Typically, you will enter your password then insert the security key as a required second form of authentication. You can use one security key with more than one account. You can have multiple security keys registered on an account. Activating the registration of a security key varies with the key (for example, press a button or tap). Security keys must be U2F or WebAuthn capable.
Creates account groups, asset groups, and user groups. Creates entitlements and adds users or user groups to entitlements. Configures access request policies.
Used by an application or service to interact with the operating system or configuration.
The name of the domain where the service account resides. SPP uses DNS-SRV to resolve domain names to actual domain controllers.
Scans Windows assets and automatically discovers Windows services and tasks. If the directory accounts are managed by SPP, the service or task is automatically associated with the managed account. Administrators can identify unmanaged accounts to potentially manage.
SPP issues privileged access to users for specific periods, called sessions.
Rules and process to manually set or randomly generate the user or service account passwords in the SPP database. The process does not change the account password on the asset. For directory accounts, SPP synchronizes the directory account password provided by an external identity provider, such as Active Directory. Also see check password and change password.
An alphanumeric name used to identify user, group, and computer accounts in Windows. SIDs are created an account is first created in Windows and no two SIDs on a computer are ever the same.
Protocol server that handles email delivery process (for example, smtp.gmail.com).
The state of a computer system at a point in time. Snapshots are not enough to restore a virtual machine and do not replace backukps.
An industry standard protocol for network management. SNMP alerts are sent to a central SNMP server.
One Identity Safeguard for Privileged Analytics solution to monitor behavior and identify threats.
A split brain situation occurs when for some reason (for example, the loss of connection between the nodes) both nodes of a cluster become active as the primary. New data (for example, audit trails) may be created on both nodes without being replicated to the other node. Thus, it is likely in this situation that two diverging sets of data are created, which cannot be easily merged.
One Identity Safeguard for Privileged Passwords solution to secure privileged credentials.
One Identity Safeguard for Privileged Sessions solution to control, monitor, and record privileged sessions.
Contains security warning information or general information.
Used for authentication. Host keys are pairs. Public host keys are stored on or distributed to SSH clients. Private keys are stored on SSH servers.
Parameters of the connection on the protocol level, including timeout value and greeting message of the connection, as well as the encryption algorithms used.
Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet.
Contains uploaded or enrolled SSL certificates owned by a cluster. Any SSL certificate in the store can be assigned to any appliance in the clustered environment.
User logs in with a single ID and password per session to gain access to multiple services within a single organization.
A third party servce responsible for issuing, validating, renewing, and cancelling security tokens. The tokens are used to identify the holder of the token to services that adhere to the WS-Trust standard.
System and configuration information sent to One Identity Support to analyze and diagnose issues.
Protocol to produce and send log and event information from Unix/Linux and Windows systems and devices over UDP port 514 to a centralized syslog server.
Can be assigned manually (static) or dynamically set through tagging rules (identified by a lightning bolt icon). Tags are helpful in searches. Dynamic tags are updated when the rules engine runs when you add or change an asset account or an asset account rule.
A set of networking protocols that allows two or more computers to communicate.
A terminal emulation protocol that enables a user to connect to a remote host or device using a telnet client.
A unique hash value that identifies the certificate.
SPP can be integrated with a company's external ticket system, such as ServiceNow or Remedy.
TLS and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the internet. The application can encrypt the communication between the clients and the server using TLS to prevent unauthorized access to sensitive log messages.
A small, auto-expiring alert that displays when the desktop client application is not the active foreground application.
A command that shows all routing steps (the path of a message) between two hosts.
Manipulate and prioritize network traffic to reduce the impact of heavy use cases from effecting other use cases.
A user is required to provide two different authentication factors to verify themselves. Provides a higher level of security than one factor and protects the user's credentials and the resources accessed.
Used to access network resources and contains two or more of the following components: \\<servername>. <share>.<filename>
A person who can log into SPP. A user can be local or can be a directory user from an external identity store such as Microsoft Active Directory. A user may be associated with user groups, partitions, entitlements, and linked accounts. A user may have or not have administrator permissions.
Creates (or imports) users. Sets passwords, unlocks accounts, and enables or disables non-administrator user accounts. Adds directory groups to directories, including directory users. Grants Help Desk Administrator permissions. The Authorizer Administrator typically unlocks administrator accounts.
A set of local users or directory users that can be added to an entitlement to use the entitlement’s access request policies restricting system access.
UTC is never out of sync with GMT (Greenwich Meridian Time) by more than nine tenths of a second so UTC and GMT are virtually equivalent in common usage.
A software computer that runs an operating system and applications and acts as an isolated computing environment. One host computer may have multiple virtual machines.
A web-based application that allows you to execute shell commands on a server directly from a browser (web-based SSH).
The infrastructure for accessing management data in an enterprise environment. You can write WMI scripts or applications to automate administrative tasks on remote computers. WMI also supplies management data to other parts of the operating system and products.
Directs workflow and may include time restrictions, reviewers, approvers, emergency access, and policy expiration. May integrate with a ticketing system and have reason codes.