Asset Administrators can manually add and remove static tags to an asset using the Tags pane, which is located at the bottom of the General tab when an asset is selected on the Assets view.
You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag.
To manually add a tag to an asset
Place your cursor in the edit box and enter the tag to be assigned to the selected asset.
As you type, existing tags that start with the letters entered will appear allowing you to select a tag from the list.
To add additional tags, press Enter before entering the next tag.
Click OK.
If you do not see the new tag, click Refresh.
To remove a manually assigned tag, click the X inside the tag box.
Use the Accounts tab on the Assets view to add an account to an asset. You can acc an account to an asset or add a directory account to a directory asset. Steps for both follow.
In the Account dialog, enter the following information:
Name:
Description: (Optional) Enter information about this managed account. Limit: 255 characters
Profile: Browse to select a profile to govern this account.
By default an account inherits the profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile.
Enable Password Request: This check box is selected by default indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account.By default a user can request the password for any account in the scope of the entitlements in which he or she is an authorized "user".
Enable Session Request: This check box is selected by default indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized "user".
Available for use across all partitions: (For directory accounts only.) When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you might have assets that are running services as the account and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
If you add directory user accounts to a directory asset, Safeguard for Privileged Passwords will automatically change the user passwords according to the profile schedule you set which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.
|
IMPORTANT: For Active Directory, the standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works. |
To add a directory account to a directory asset
To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad", it will find any user Name or Distinguished Name that contains "ad". The text search is not case sensitive and does not allow wild cards.
One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted.
|
NOTE: You must add directory accounts to Safeguard for Privileged Passwords before you can set up account dependency relationships. For more information, see Adding an account. |
|
NOTE: Select the Available for use across all partitions option on the directory account so it can be used outside its domain partition. For more information, see Adding an account. |
To add account dependencies to Windows servers
Use the Asset Groups tab on the Assets view to add an asset to one or more asset groups.
Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms.This section lists SPP and SPS support by platform.
To add an asset to asset groups
If you do not see the asset group you are looking for and have Security Policy Administrator permissions, you can click Create New and add the new asset group. Enter the information and click Add Asset Group. For more information on creating asset groups, see Adding an asset group.
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy