Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Administrative Tools

The  Administrative Tools allow you to add all the objects you need to write access request policies, such as users, accounts, and assets. From this view, you can also configure all of the Safeguard for Privileged Passwords settings.

Note: You must have administrator permissions to use the  Administrative Tools and the administrator permissions you have determine what you can view and modify.

The navigation pane along the left side of the console gives you access to these administrative tools.

Table 10: Administrative Tools
Administrative Tools Description Administrator permissions
Toolbox Where you can gain quick access to all the tasks you can perform from a single portal. Users with any Safeguard administrator privileges.
Accounts Where you associate account identities with managed systems. Asset Administrator or Auditor
Account Groups Where you define sets of accounts which you can add to the scope of an access request policy. Auditor or Security Policy Administrator
Assets Where you add computers, servers, network devices, or applications to be managed by a Safeguard for Privileged Passwords Appliance. Asset Administrator or Auditor
Asset Groups Where you define sets of assets which you can add to the scope of an access request policy. Auditor or Security Policy Administrator
Discovery Where you configure asset and account discovery jobs which apply a set of rules to discover and automatically add assets and accounts to Safeguard for Privileged Passwords Auditor or Asset Administrator
Entitlements Where you specify the access request policies that restrict system access to authorized users. Auditor or Security Policy Administrator
Partitions Where you define collections of assets which can be used to segregate assets for delegation. Asset Administrator, Auditor, or delegated partition owner
Settings

Where you configure Safeguard for Privileged Passwords to run backups, install updates, manage clusters, manage certificates, enable event notifications, configure external integration, define profile configurations settings, define user password rules, define discovery rules, and run troubleshooting tools.

Users with any Safeguard administrator privileges, however, the settings available depend on the administrative permissions assigned.

Users Where you set up users who can log into Safeguard for Privileged Passwords.

Bootstrap, Asset Administrator, Auditor, Authorizer Administrator, Help Desk Administrator, Security Policy Administrator, or User Administrator

User Groups Where you define sets of Safeguard for Privileged Passwords users which you can add to an entitlement.

Bootstrap, Auditor, Authorizer Administrator, Security Policy Administrator, or User Administrator

All of the Administrative Tools views have the following components, except for the Toolbox and Settings:

  • Toolbar options across the top of the view.
  • Object list (left pane)
  • Search box at the top of the object list.
  • Details pane (right pane)

Toolbar options

The toolbar at the top of the views (except for the Toolbox and Settings), contain these options, depending on your Administrator permissions and the administrative tool you are in.

These buttons are available:

  • Apply to apply the changes and keep the dialog open
  • OK to apply the changes and close the dialog.
  • Cancel to ignore any changes made, if any, and close the dialog.

Toolbar options include the following.

  • Add: Add objects to the Safeguard for Privileged Passwords appliance.
  • Delete: Remove objects from the appliance.

  • Refresh Refresh the screen.

    NOTE:Whenever you add, modify, or delete an object in Administrative Tools, the changes you make cannot be seen by other administrators running Safeguard for Privileged Passwords on other clients unless they click Refresh.

  • Import : Only available for Accounts, Assets and Users: Add a set of objects from a .csv file. For more information, see Importing objects.
  • User Security: Only available for Users: Menu options include: Set Password and Unlock accounts. For more information about these options, refer to Setting a local user's password and Unlocking a user's account.
  • Account Security: Only available for Accounts: Menu options include: Set Password, Check Password, and Change Password. For more information, see Checking, changing, or setting an account password.
  • Permissions: Only available for Users: Set administrator permissions for users. For more information, see Administrator permissions.
  • Set as Default: Only available for Partitions: Set a partition as the default. For more information, see Setting a default partition and Setting a default partition profile.
  • Download SSH Key: Only available for Assets: Add the SSH Key to the selected asset. For more information, see Downloading a public SSH key.
  • Password Archive: Only available for Accounts: Display the password history for the selected account. For more information, see Viewing password archive.
  • Access Requests: Only available for Accounts and Assets: Enable or disable access request services for the selected account or asset.
  • Show Disabled: Display the accounts or assets marked as disabled.
  • Hide Disabled: Hide the accounts or assets marked as disabled.
  • Sync Now: Only available for Assets: Run the directory addition and deletion synchronization process on demand. In addition, it runs through the discovery, if there are discovery rules and configurations set up.

Privileged access requests

One Identity Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.

In order for a request to progress through the workflow process, authorized users perform "assigned" tasks. These tasks are performed from the user's Home page in the desktop client or web client.

As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, Safeguard for Privileged Passwords can be configured to alert you when you have pending tasks awaiting your attention. For more information, see Configuring alerts.

The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:

  • Designated "requesters" see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).

    Requesters can also define favorite requests, which then appear on their Home page for subsequent use. For more information, see Creating, editing, or removing a favorite request.

  • Designated "approvers" see tasks related to approving (or denying) and revoking access requests.
  • Designated "reviewers" see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.

Password release and session requests use a workflow engine; however, the actions taken on a session request are slightly different than those taken on a password release request. Therefore, we will cover each of these access request workflows separately:

Creating, editing, or removing a favorite request

If designated as a requester, Safeguard for Privileged Passwords allows you to add an access request as a Favorite to your Home page. Favorites are unique for the user; they are available when you log into the desktop client or the web client.

You can create a favorite request from your Favorites pane on your Home page or from the New Access Request dialog when creating or editing an access request.

To create a favorite request from your Home page

  1. In the Favorites pane, click New Favorite.

  2. In the New Access Request dialog, specify the assets, accounts, and type of asset to be included in the access request.

    1. On the Asset Selection tab, select the assets to be included in the access request.

    2. On the Account & Access Type tab, select the accounts to be included in the access request and the type of access being requested for each selected account. The accounts include linked accounts, if any. For more information, see Linked Accounts tab (user).

      • Account: The available account appears in the Account column. When an asset has multiple accounts available, click Select Account(s) to select an account from the displayed list.
      • Access Type: The type of access request appears in the Access Type column. When multiple access request types are available, this value appears as a hyperlink. Click this hyperlink to select the access type.
  3. Click the Add to Favorites button.

  4. In the Add to Favorites dialog, specify the following:

    1. Name: Enter a name for the request.

      Required

    2. Description: Enter descriptive text about the request.
    3. Color: Select the icon color to be used to display the request in your Favorites pane.

    Click Add.

    The dialogs will close and the new favorite will be added to the Favorites pane on your Home page.

To create a favorite request from the New Access Request dialog

  1. At the bottom of the New Access Request dialog, click the Add to Favorites button when you are creating a new request. The Add to Favorites button is enabled when you have selected the minimum required information (that is, at least one asset, account, and an access type) for the access request.

  2. In the Add to Favorites dialog, specify the following:

    1. Name: Enter a name for the request.

      Required

    2. Description: Enter descriptive text about the request.
    3. Color: Select the icon color to be used to display the request in your Favorites list.
  3. Click Add.

To change a favorite request's icon color

  1. At the top of the Favorites pane, click the button to display the Color Selected button.

  2. Select the check box to the left of the favorite request to be changed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.

  3. Click Color Selected.

  4. In the Settings dialog, choose a color and select OK.

    The icon for the favorite now appears in the color you selected.

To remove a favorite request

  1. At the top of the Favorites pane, click the button to display the Remove Selected button.

  2. Select the check box to the left of the favorite request to be removed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.

  3. Click the Remove Selected button.
  4. Select Yes to confirm.
Related Documents