Manually override automatic Offline Workflow
Use the Offline Workflow page to manually enable offline workflow or resume online operations.
For details on either of these operations, see Manually control Offline Workflow Mode.
Before resuming online operations, see Considerations to resume online operations.
To manually Enable Offline Workflow
This option is only available when the appliance has lost consensus with the cluster.
- Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.
- Click
Enable Offline Workflow to manually trigger Offline Workflow Mode.
- In the dialog box, type in Enable Offline Workflow and click Enter. The appliance is in Offline Workflow Mode and enters maintenance.
- You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management.
To manually Resume Online Operations
- Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.
- Click
Resume Online Operations to manually trigger moving the appliance from Offline Workflow Mode back to online operations.
- In the dialog box, type in Resume Online Operations and click Enter.
- When maintenance is complete, click Restart Desktop Client. The appliance is returned to Maintenance mode.
- You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management.
Sessions Appliances with SPS join
|
|
CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback. |
The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa.
Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.
Safeguard for Privileged Passwords join guidance
Before initiating the join, review the steps and considerations in the join guidance. For more information, see Appendix C: SPP and SPS sessions appliance join guidance.
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.
|
|
CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation. |
Standard operating procedure after the initial join
If you add another SPS cluster after the initial join, follow these standard operating procedures:
- Add join connections. See Viewing, deleting, or editing join connections later in this topic.
-
Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy.
- Assign the managed networks. For more information, see Managed Networks.
Connection deletion: soft delete versus hard delete
Depending on your goals, you can perform a soft delete or a hard delete.
Soft delete the connection
When a session connection is deleted from the desktop client, the connection information is soft deleted so that a rejoin of the same SPS appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a rejoin avoids "breaking" all of the Access Request Polices that referenced the previous session connection.
If the session connection is deleted, a caution displays when you navigate to Administrative Tools | Entitlements | Access Request Policies and go to the Session Settings tab. For more information, see Session Settings tab.
Hard delete the connection
A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a rejoin is not desired or retaining the previous session connection values is preventing an SPS appliance from joining or rejoining. A hard delete can only be performed from the API using the following steps:
- In a browser, navigate to https://<your-ip-address>/service/core/swagger.
- Authenticate to the service using the Authorize button.
- Navigate to Cluster->GET /v3/cluster/SessionModules and click Try it out!.
- Identify if the unwanted session connection exists on the list:
- If the unwanted session connection exists in the list, then:
- Note the ID of the session connection.
- Navigate to Cluster DELETE /v3/cluster/SessionModules.
- Enter the ID.
- Click Try it out!”.
- Go to step 3.
- If the unwanted session connection does not exist in the list, then:
- Set the includeDisconnected parameter to true.
- Click Try it out!.
- If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.
- If the unwanted session connection exists in the list, then:
- The process is complete and the session connection is permanently removed.
Viewing, deleting, or editing join connections
Once the join is complete, navigate to Administrative Tools | Settings | Cluster | Session Appliances to view, delete, or edit join connections. The Session Appliances pane displays the following session details.
| Property | Description |
|---|---|
|
Host Name |
The host name of the SPS appliance host cluster master. |
|
Network Address |
The network DNS name or IP address of the session connection. |
|
Description |
(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node). |
|
Connection User |
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name. |
|
Thumbprint |
A unique hash value that identifies the certificate. |
|
Managed Hosts |
Other nodes in the SPS cluster identified by the managed host name and IP address. Hover over any |
Warning icon to see if the Managed Host is Unavailable or Unknown. Click a Host Name row to bring up the Session Module Connection dialog.
| Property | Description |
|---|---|
|
Node ID |
The name of the Safeguard for Privileged Sessions Appliance used to authenticate the joined SPS session connection. |
|
Host Name |
The host name of the SPS appliance host cluster master. |
|
Connection User |
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name. |
|
Description |
(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node). |
|
Network Address |
The network DNS name or IP address of the session connection. |
Use these toolbar buttons to manage sessions.
| Option | Description | ||
|---|---|---|---|
 Delete Selected |
Remove the selected joined SPS session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete earlier in this topic. | ||
 Edit |
Modify the selected joined SPS session connection Description or Network Address on the Session Module Connection dialog. | ||
 Refresh |
Update the list of joined SPS session connections. | ||
|
Session Module Password Access Enabled
|
|
Toggle on
Toggle offReversing the SPP to SPS join
Once a Safeguard for Privileged Passwords (SPP) cluster node has been configured to use the Safeguard Sessions Appliance, it can be reversed by a factory reset of the Safeguard Passwords Appliance. The factory reset redeploys the Safeguard Passwords Appliance session module. For more information, see Factory Reset from the desktop client.
Another way to reverse the join to Safeguard for Privileged Sessions is to restore a backup that was taken before the first join of Safeguard for Privileged Sessions (SPS).
For more information, see Backup and Retention settings.
External Integration settings
The Appliance Administrator can configure the appliance to send event notifications to various external systems, the integration with an external ticketing system, and configure both external and secondary authentication service providers. However, it is the Security Policy Administrator's responsibility to configure the Approval Anywhere feature.
Navigate to Administrative Tools | Settings | External Integration.
| Setting | Description |
|---|---|
|
Where you configure application registrations to use the Application to Application service, which allows third-party applications to retrieve credentials from Safeguard for Privileged Passwords. | |
| Where you define the Safeguard for Privileged Passwords users who are authorized to use Approval Anywhere to approve access requests. | |
| Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. | |
|
Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords. | |
| Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur. | |
| Where you join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling Two-Factor Authentication (2FA) and Starling Identity Analytics & Risk Intelligence. | |
| Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event. | |
| Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system. |