It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords. While an asset can have multiple accounts, you can only associate an account with one asset.
The new account displays on the Accounts list.
Note: Safeguard for Privileged Passwords allows you to set up account discovery jobs that run automatically. For more information, see Account Discovery job workflow.
In the Assets dialog, for Asset Name, select an asset to associate with this account.
In the Account dialog, enter the following information:
Description: (Optional) Enter information about this managed account. Limit: 255 characters
Profile: Browse to select a partition profile to govern this account.
By default an account inherits the partition profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile.
Enable Password Request: This check box is selected by default indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account.By default a user can request the password for any account in the scope of the entitlements in which he or she is an authorized "user".
Enable Session Request: This check box is selected by default indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized "user".
Available for use across all partitions: (For directory accounts only.) When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you might have assets that are running services as the account and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
One Identity Safeguard for Privileged Passwords can manage cloud platform accounts such as Amazon Web Services (AWS), Facebook (deprecated), and Twitter (deprecated).
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.
Before you add cloud platform accounts to Safeguard for Privileged Passwords, you must first add an asset with which to associate the accounts. For more information, see Prepare Amazon Web Services platforms.
In the Management tab,
For Amazon Web Services, in the Connection tab, select:
Access Key to authenticate to the asset using an access key. Enter the following information:
Once you add the cloud platform asset, you can associate accounts with it.
To add an account to the cloud platform
Now you can manually check, change, or set the cloud platform account password; and, Safeguard for Privileged Passwords can automatically manage the password according to the Check and Change settings in the profile governing the account.
To resolve a Twitter requirement for additional verification
Twitter may prompt for additional verification on the next login if suspicious activity is detected (for example, the login originated from a new device or there were too many failed logins from a device). The additional verification may require entry of the email address associated with the Twitter account or entry of a temporary password sent via email. Safeguard for Privileged Passwords detects the Twitter prompt and displays the login requirement in a status message when the password change fails. The Activity Center Event may display Password Change Failed with the following Checking detail: Additional account verification requested:’RetypeEmail’.
To resolve the request for verification so that Twitter trusts the Safeguard for Privileged Passwords Appliance:
To checkout the cloud platform account
Asset Administrators can manually add and remove static tags to an account. You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag.
Place your cursor in the edit box and use one method:
Click OK. If you do not see the new tag, click the Refresh toolbar button.
To remove a manually assigned tag, click next to the Tags title and click the X inside the tag box to be removed.
From the Accounts view you can add an account to one or more account groups.
If you do not see the account group you are looking for and you have Security Policy Administrator permissions, you can create an account group from the Account Groups dialog.
Name: Enter a unique name for the account group. Limit: 50 characters
Description: (Optional) Enter information about this account group. Limit: 255 characters