Use the Administrative Tools | Assets | Management tab to add the network address, operating system or directory service, and version information for an asset.
When you create a directory asset, accounts created display as discovered accounts in the Discovered Accounts properties grid. For more information, see Discovered Accounts.
The settings for an asset are shown below.
Property | Description | ||
---|---|---|---|
Product |
Select an operating system or directory service, for this asset. A custom platform can be selected. For more information, see Custom platforms.
| ||
Version |
If applicable, select the operating system version. When adding a Linux or Macintosh OS X system, Safeguard for Privileged Passwords allows you to choose an "Other" version.
| ||
Architecture |
If applicable, the product's system architecture. | ||
Network Address |
If applicable, enter a network DNS name or the IP address used to connect to the managed system over the network. For Amazon Web Services assets, enter the Amazon AWS Account ID or Alias. | ||
Domain Name (directory) |
The domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain. | ||
Manage Forest (directory) |
Select if you want to manage the whole forest. Do not select if you want to manage just one domain. | ||
If applicable, select to make this asset "read access" available for Asset Discovery jobs beyond partition boundaries. Any partition that exists is able to use this directory asset, however, other partition owners do not have read password access. If not selected, partition owners and other partitions will not know the directory asset exists. In setting up the Asset Discovery job, use the Directory asset discovery Method so that directory assets that are shared can be discovered into any partition. For more information, see General tab (asset discovery). | |||
Enable Session Request |
If applicable, this check box is selected by default indicating that authorized users can request session access for this asset. Clear this check box if you do not want to allow session requests for this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions. | ||
Advanced |
| ||
Managed Network |
The managed network that is assigned for work load balancing. For more information, see Managed Networks. | ||
RDP Session Port |
If applicable, specify the access port on the target server to be used for RDP session requests. Default: Port 3389 | ||
SSH Session Port |
If applicable, specify the access port on the target server to be used for SSH session requests. Default: Port 22 | ||
Telnet Session Port |
If connecting to TN3270 or TN5250, the port for connection. By default, a telnet server typically listens on port 23. | ||
Sync additions every [number] minutes |
For directory assets, enter or select how often you want Safeguard for Privileged Passwords to synchronize additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647 | ||
Sync deletions every [number] minutes |
For directory assets, enter or select how often you want Safeguard for Privileged Passwords to synchronize deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647 |
The Account Discovery tab is only available after Active Directory Asset has been created. On the Account Discovery tab, the default is Do not perform account discovery.
Property | Description |
---|---|
Description |
Select the description of the Account Discovery job desired and the details of the configuration display. Click |
Partition | The partition in which to manage the discovered assets or accounts. |
Discovery Type | The type platform, for example, Windows, Unix, or Directory. |
Directory |
The directory for account discovery. |
Schedule |
Click Schedule to control the job schedule. Select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
|
Rules |
You may click Details about the selected account discovery setting rules may include the following based on the type of asset.
|
On the Connection tab, choose an Authentication Type (see the table which follows) and specify the service account credentials. The type of asset specified in the Product field on the Management tab determines the authentication types available for the asset. If the asset has a custom platform, the Custom Properties elements are displayed. For more information, see Custom platforms.
Authentication Type | Description | ||
---|---|---|---|
SSH Key | To authenticate to the asset using an SSH authentication key. | ||
Directory Account |
To authenticate to the asset using a directory account from an external identity store such as Microsoft Active Directory.
| ||
Local System Account |
For SQL Server assets, to authenticate to the asset using a local system account, which is a Windows user account on the server that is hosting the SQL database. | ||
Password (local service account) |
To authenticate to the asset using a local service account and password. | ||
Account Password |
When the function account credentials are not in the custom script, for example, Amazon Web Services. For more information, see Custom platforms.For more information, see Adding a cloud platform account. | ||
Access Key |
For Amazon Web Services assets, to authenticate to the asset using an access key. For more information, see Adding a cloud platform account. | ||
Custom |
No authentication information is taken because the custom parameters or parameters in a customer platform script are used. No accounts associated with the asset are stored. For more information, see Custom platforms.For more information, see Adding a cloud platform account. | ||
None |
No authentication information is taken and check/change functions are disabled. No accounts associated with the asset are stored. | ||
Test Connection |
Verify that Safeguard can log into the asset using the service account credentials that you have provided. | ||
Timeout |
Enter the connection timeout period. |
Client ID: For SAP assets, enter the client ID.
If the Product field on the Management tab identified a custom platform, complete the dialog based on the custom properties of the custom platform script. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms. For more information, see Creating a custom platform script.
Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage accounts and passwords on that asset. Therefore a service account needs sufficient permissions to edit the passwords of other accounts.
When you add an asset, Safeguard for Privileged Passwords adds its service account to the list of Accounts and designates it with a Service Account icon. By default, Safeguard for Privileged Passwords automatically manages the service account password according to the check and change schedules in the profile that governs its asset. For more information, see Creating a partition profile.
When adding a service account, Safeguard for Privileged Passwords automatically disables it from access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request. If you want to enable session access, select Enable Session Request.
|
TIP: As a best practice, if you do not want Safeguard for Privileged Passwords to manage a service account password, add the account to a profile that is set to never change passwords. |
If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None which disables automatic password management for all accounts that are associated with this asset. A user can continue to checkout the passwords, however, if the policy that governs the account requires that it change the password after release, the password can get stuck in a 'pending password reset' state. For more information, see Password is pending a reset.
The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts. If you experience issues, first verify that you can access the managed system from another system (independent of Safeguard for Privileged Passwords), using the service account. For more information about troubleshooting connectivity issues, see Test Connection failures and Connectivity failures.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy