Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Asset Discovery Results

You can view the results of running one or more Asset Discovery jobs.

  1. Navigate to Administrative Tools | Discovery and click the Asset Discovery Results tile.
  2. On the Asset Discovery Results grid:
    • Click Refresh to refresh the results.
    • Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60 or 90 days. Or, click Custom to create a custom time frame.
  3. Click Search and enter the character string to be used to search for a match. For more information, see Search box.
  4. Click a column to sort the column information displayed for each job:
    • User: The user who ran the job or Automated System, if the job is run on an automated schedule.
    • Date: The most recent date the Asset Discovery job successfully ran.
    • Job Name: The name of the Asset Discovery job.
    • Type: The type of Asset Discovery job (for example, Network Scan or Directory Scan).
    • Event: The outcome of running the Asset Discovery job event which may be Asset Discovery Succeeded, Asset Discovery Failed, or Asset Discovery Started.
    • Partition: The partition in which the discovered assets will be managed.
    • Appliance: The name of the Safeguard for Privileged Passwords Appliance.
    • Directory: If applicable, the name of the directory on which the Asset Discovery job ran.
    • # Assets Found: The number of asset found during the discovery job.
  5. For additional detail on an Asset Discovery job result, double-click the result row to view the Asset Discovery Results pop-up window. On this window, click # of Assets Found to see a list of the assets.

Account Discovery

Account Discovery jobs include the rules Safeguard for Privileged Passwords uses to perform account discovery against assets. When you add an Account Discovery job, you can identify whether or not to automatically manage found accounts, whether to discover services, and whether to automatically configure dependent systems.

The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account.

To configure and schedule account discovery jobs, perform one of the following:

  • You can create or edit an Account Discovery job from Administrative Tools | Discovery | Account Discovery. Then, associate assets to the Account Discovery job via the Occurrences button.

    IMPORTANT: You must click Occurrences to associate assets to the Account Discovery job. If you do not associate the assets to the Account Discovery job, the accounts will not be found.

  • You can create or edit an asset and, in the process, assign or create an Account Discovery job. For more information, see Adding an asset.
Supported platforms

Safeguard for Privileged Passwords supports account discovery on the following platforms:

Properties and toolbar

Navigate to Administrative Tools | Discovery | Account Discovery.

Use these toolbar buttons to manage the Account Discovery jobs.

Table 68: Account Discovery: Toolbar
Option Description
Add

Add an Account Discovery job. For more information, see Adding an Account Discovery job.

Delete Selected

Delete the selected Account Discovery job.

Refresh

Update the list of Account Discovery jobs.

Edit

Modify the selected Account Discovery job. You can also double-click a row to open the edit dialog.

Discover Accounts

Discover the accounts on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop up displays which shows the progress and completion.

Discover Services

Discover the services on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop up displays which shows the progress and completion.

Details

View additional details about the selected Account Discovery job.

Occurrences

Add, delete, or refresh the assets associated with the Account Discovery job.

IMPORTANT: You must associate the assets to the Account Discovery job for the accounts to be found.

Search

Enter the character string to be used to search for a match. For more information, see Search box.

Account Discovery jobs display in the grid.

Table 69: Account Discovery: Account Discovery job grid
Name Name of the discovery job
Creator Indicates the source of the job, for example, Automated System or a specific administrator.
Discovery Type The type of discovery performed, for example, Windows, Unix, or Directory.
Directory The directory on which the discovery job runs.
Partition

The partition in which to manage the discovered assets or accounts.

Schedule

Designates when the discovery job runs.

Discover Services

A check mark displays if the job will discover service accounts.

Auto Configure

A check mark displays if the accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset.

Asset Count

Total number of assets assigned to the Account Discovery job.

Double-click on an Account Discovery job to view the details.

Table 70: Account Discovery tab properties

Partition

The partition on which the Account Discovery job runs.

Name The name of the Account Discovery job.
Description

The description of the Account Discovery job.

Discovery Type The type platform, for example, Windows, Unix, or Directory.
Directory If applicable, the directory on which the selected Account Discovery job runs.
Schedule The interval for the Account Discovery job to run.
Rules
  • Name: Name of the discovery job.
  • Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule.
  • Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
  • Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
  • Set default password: A check mark displays if the rule causes default passwords to be set automatically.
  • Assign to Profile: The partition profile assigned.
  • Assign to Sync Group: A check mark displays if the rule automatically associated the accounts with a password sync group.
  • Enable Password Request: A check mark displays if the passwords is available for release.
  • Enable Session Request: A check mark displays if session access is enabled.
Related Topics

Account Discovery job workflow

Account Discovery job workflow

Safeguard for Privileged Passwords's Account Discovery jobs discover accounts of the assets that are in the scope of a partition profile. For more information, see About partition profiles. Account Discovery jobs can include service discovery.

You can configure, schedule, test, and run Account Discovery jobs. After the job has run, you can select whether to manage the account, if it was not identified to be automatically managed.

  1. Create an Account Discovery job and associate assets or create an asset and associate the Account Discovery job.
  2. Account Discovery jobs can be scheduled to run automatically. In addition you can manually launch these jobs in any of the following ways:

  3. After the Account Discovery job runs, you can mark the managed accounts from Administrative Tools | Discovery | Discovered Accounts.

    • Click  Disable to prevent Safeguard for Privileged Passwords from managing the selected account.
    • Click  Enable to manage the selected account and assign it to the scope of the default profile.

    Note: The discovery job finds all accounts that match the discovery rule's criteria regardless of the state and reports only the accounts discovered that do not currently exist. Account Discovery does not update existing accounts.

Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the account discovery events in the Account Discovery Activity category.

Adding an Account Discovery job

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account Discovery job workflow.

To add an account discovery job

  1. Navigate to Administrative Tools | Discovery | Account Discovery.
  2. Click  Add to open the Account Discovery dialog.
  3. Provide the following:
    1. Partition: Browse to select a partition.
    2. Name: Enter a name for the account discovery job. Limit: 50 characters.

    3. Description: Enter descriptive text about the account discovery job. Limit: 255 characters

    4. Discovery Type: The platform, for example, Windows, Unix, or Directory. Make sure the Discovery Type is valid for the assets associated with the Partition selected earlier on this dialog.
    5. Directory: If the Discovery Type is Directory, select the directory on which the Account Discovery job runs.
    6. Click the Schedule button and choose an interval for to run the Account Discovery job.

      In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

      • To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

        • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24 hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
        • Hours: The job runs per the minute setting you specify. For example, if it is 9 am and you want to run the job every 2 hours at 15 past the hour starting at 9:15 am, you would select Runs Every 2 Hours @ 15 minutes after the hour.

        • Days: The job runs on the frequency of days and the time you enter.

          For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.

        • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

          For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 am on Monday, Wednesday, and Friday.

        • Months: The job runs on the frequency of months at the time and on the day you specify.

          For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 am on the first Saturday of every other month.

      • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

        For example, for a job to run every ten minutes every day from 10 pm to 2 am you would enter these values:

        Enter Every 10 Minutes and Use Time Windows:

        • Start 10:00:00 PM and End 11:59:00 AM
        • Start 12:00:00 AM and End 2:00:00 AM

          An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

        If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

        For a job to run two times every other day at 10:30 am between the hours of 4 am and 8 pm, you would enter these values:

        For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

      • Time Zone: Select the time zone.
    7. Rules: You can add, delete, edit or copy rules. For more information, see Adding an Account Discovery rule.
    8. Discover Services: (For Windows accounts only and deselected by default.) Select this check box so that when the discovery job is run, services are discovered and can be viewed in by clicking the Discovered Services tile. For more information, see Discovered Services.

      For more information, see Adding an Account Discovery job.

      Automatically Configure Dependent Systems: (For Windows accounts only and deselected by default.) Select this check box so that any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. The dependencies are listed on Administrative Tools | Assets | Account Dependencies. If you deselect the check box and run the account discovery job again, the dependencies are not removed. Dependencies can be manually removed from Administrative Tools | Assets | Account Dependencies. For more information, see Account Dependencies tab (asset).

  4. Click OK.
  5. Select the assets to which the account discovery rule applies using one of these approaches:

Related Documents