Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Audit Log Management

Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to purge audit logs from the Safeguard for Privileged Passwords Appliance and archive older audit logs to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.

To define and schedule when to perform an audit log archival task:

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Management.

  2. Select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.

    • To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24 hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.

      • Hours: The job runs per the minute setting you specify. For example, if it is 9 am and you want to run the job every 2 hours at 15 past the hour starting at 9:15 am, you would select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 am on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 am on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 pm to 2 am you would enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 AM

      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 am and 8 pm, you would enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

    • Time Zone: Select the time zone.
  1. For Archive and delete audit logs older than __ days, enter the number of days that should pass before audit logs are archived to an archive server and deleted off the appliance.
  2. Select Send to archive server to store the audit logs externally from the appliance.

    Note: This option is only available if you have configured an archive server. For more information, see Adding an archive server.

  3. Click Test to test the connection to the archive server.
  4. To delete audit logs from the appliance and not back them up on an archive server, enter the days in Delete audit logs older than __ days.

Backup and restore

It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups.

As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the backup files, use Delete to remove them from the desktop client application. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention settings.

NOTE: When a backup is created, the state of the sessions module is saved which can be either the joined sessions module (SPS) or the earlier embedded sessions module (SPP). Restoring a backup restores the sessions module to the state when the backup was taken, regardless of the state when the restore was started.

Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.

The Safeguard for Privileged Passwords Backup and Restore page lists this information for the backups that are currently in the database.

Table 128: Safeguard for Privileged Passwords Backup and Restore: Properties
Property Description
Date The date of the backup.
Time The time of the backup.
Progress

The status of the backup: Running or Complete.

File Size (MB) The size of the backup file in megabytes.
Appliance Name The name of the appliance.
Appliance Version The version of the Safeguard for Privileged Passwords Appliance.
User

The name of the user that created the backup.

Last Archived Date The date the selected backup ran.
Archive Server Name The name of the server on which the backup was archived.

Use these toolbar buttons to manage Safeguard for Privileged Passwords backups.

Table 129: Safeguard for Privileged Passwords Backup and Restore: Toolbar
Option Description
Run Now

Create a backup copy of the data that is currently on the appliance. For more information, see Run Now.

Delete

Remove the selected backup file from the Backups page and the Safeguard for Privileged Passwords database.

Refresh

Update the list of backup files on the Backups page.

Settings Where you configure an automatic backup schedule. For more information, see Backup settings.
Download

Save the selected backup file in a location on your appliance. For more information, see Download.

Upload

Retrieve a backup file from a file location and add it to the Backups page list. For more information, see Upload.

Restore

Overwrite the current data and restore Safeguard for Privileged Passwords to the selected backup. For more information, see Restore.

Archive

Store a backup file on an external archive server. For more information, see Archive backup.

Run Now

To create a new backup

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Click  Run Now.

    Safeguard for Privileged Passwords makes a copy of the current database.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.

TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.

Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.

Backup settings

Settings is where you configure an automatic backup schedule.

If you schedule a backup and a backup has already occurred for that interval (Minute, Hour, Day, Week, or Month), Safeguard for Privileged Passwords will not execute another backup until the following minute, hour, day, week, or month. For example, if a backup has already occurred today and you set the backup schedule to run a daily backup, Safeguard for Privileged Passwords will not run the backup until tomorrow.

The backup schedule window end time must be after the start time.

To schedule backups

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Click  Settings.

  3. In the Backup Settings dialog, specify the backup schedule. Select Backup Every to run the job along per the run details you enter. (If you deselect Backup Every, the details are lost.)

    • To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24 hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.

      • Hours: The job runs per the minute setting you specify. For example, if it is 9 am and you want to run the job every 2 hours at 15 past the hour starting at 9:15 am, you would select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 am on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 am on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 pm to 2 am you would enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 AM

      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 am and 8 pm, you would enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

    • Time Zone: Select the time zone.
  4. Select Send to archive server to store the backup files externally from the appliance.

    Note: This option is only available if you have configured an archive server. For more information, see Adding an archive server.

You configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance on the Backup retention page.

Related Documents