Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Adding an account password rule

It is the responsibility of the Asset Administrator, or a partition's delegated administrator, to configure account password complexity rules.

Important:

Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136-character password is stored in Safeguard for Privileged Passwords. This causes the following issues:


  • Check Password for that account will fail. When Safeguard for Privileged Passwords compares the password on the Unix host with the password in Safeguard for Privileged Passwords, they never match because the Unix host truncated the password generated by Safeguard for Privileged Passwords.


  • A user will not be able to log into the Unix host account successfully with the password provided by Safeguard for Privileged Passwords unless he truncates the password to the allowable length imposed by the operating system.

To add an account password rule

  1. Navigate to Administrative Tools | Settings | Profile | Account Password Rules.
  2. Click  Add Account Password Rule to open the Account Password Rule dialog.
  3. Browse to select the partition.
  4. Enter a Name for the account password rule (up to 50 characters).
  5. Enter a Description for the account password rule (up to 255 characters).
  6. Set the password requirements.

    • Password Length: Set a range for the password allowable length from 3 to 255 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have 2 uppercase letters, 2 lowercase letters, and 2 numeric characters, the minimum Password Length must be 6.

    • First Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Last Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Repeated Characters: Choose one of the following:
      • Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
      • No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
      • No repeated characters: All letters, numbers, or symbols can only be used once in the password.
    • Alpha Character:
      • Allow Uppercase: Select to allow uppercase (capital) letters.
        • Minimum of [enter a number] Required Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any uppercase characters you want to exclude from the password. This field is case sensitive.
      • Allow Lowercase: Select to allow lowercase (small) letters.
        • Minimum of [enter a number] Required Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
      • Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Max Allowed.

        For example, if you set the Max Allowed at 2 then you can not have more than 2 alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has 3 alphabet characters in a row.

    • Numeric Character:
      • Allow Numeric (0-9): Select to allow numeric characters in the password.
        • Minimum of [enter a number] Required Numbers: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Numeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated numbers. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any numbers (0 though 9) you want to exclude from the password.
    • Alphanumeric Characters
      • Limit Consecutively Repeated Alphanumeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated alphanumeric characters. You must enter a Max Allowed value of 1 or more.
    • Symbols:
      • Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
      • Minimum of [enter number] Required Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at 0.
      • Click Advanced to set the following:
        • Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Max Allowed value of 1 or more.
        • Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
        • Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
  7. Click Test Rule to check the rules set.
  8. When the rules are complete, click OK.

Change Password

Change password settings are the rules Safeguard for Privileged Passwords uses to reset account passwords.

Navigate to Administrative Tools | Settings | Profile | Change Password.

The Change Password pane displays the following about the listed change password setting rules.

Table 170: Change Password: Properties
Property Description
Name

The name of the rule.

Partition The partition that uses the rule.
Description

Information about the rule.

Schedule Displays the selected rule's schedule.

Use these toolbar buttons to manage the change password setting rules.

Table 171: Change Password: Toolbar
Option Description
Add Change Password Setting Add a change password rule. For more information, see Adding change password settings.
Delete Selected

Remove the selected rule.

Refresh Update the list of change password rules.
Edit Modify the selected rule.
Copy "Clone" the selected rule.

Adding change password settings

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules Safeguard for Privileged Passwords uses to reset account passwords.

IMPORTANT: Passwords for accounts associated with a password sync group are managed based on the profile change schedule and processed via the sync group. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue. For more information, see Password Sync Groups.

To add a password reset schedule

  1. Navigate to Administrative Tools | Settings | Profile | Change Password.
  2. Click  Add Change Password Setting to open the Change Password Settings dialog.
  3. Browse to select a partition.
  4. Enter a Name of up to 50 characters for the rule.
  5. Enter a Description of up to 255 characters for the rule.
  6. Optionally, select Change Passwords Manually.

    For more information, see How do I manage accounts on unsupported platforms.

  7. Click the Schedule button and choose an interval.
  8. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

    • To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24 hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
      • Hours: The job runs per the minute setting you specify. For example, if it is 9 am and you want to run the job every 2 hours at 15 past the hour starting at 9:15 am, you would select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 am on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 am on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 pm to 2 am you would enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 AM
      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 am and 8 pm, you would enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

    • Time Zone: Select the time zone.
  9. Optionally, complete any of these settings:
    1. Change the Password Even if a Release is Active: Select this option to allow a password change even when a password release is active.
    2. Update Service on Password Change (Windows Only): For service accounts that run system services, select this option to ensure that the password change is also applied to each service the account runs.
    3. Restart Service on Password Change (Windows Only): For service accounts that run system services, select this option to ensure that the services automatically restart after the password is changed.
    4. Update Task on Password Change (Windows Only): For service accounts that run scheduled system tasks, select this option to ensure that the password change is also applied to each task the account runs.
    5. Suspend account when not checked out (supported platforms): Select this option to automatically suspend managed accounts that are not in use. That is, the account on a managed asset is suspended until a request is made for it through Safeguard for Privileged Passwords, at which time Safeguard for Privileged Passwords restores the account. Once the request is checked in or closed, the account is again suspended.

      Click the supported platforms link to display a list of platforms that support this feature.

      NOTE: When managing passwords for Windows service accounts, do not select this option. Create a separate Profile with Change Password settings that do not have this option selected for managing Windows service accounts.

    6. Manage SSH Key: Select this option to allow Safeguard for Privileged Passwords to rotate the SSH key it uses to communicate with an asset configured to use SSH Key Authentication. For more information, see SSH Key.

      NOTE: Clear this option to only manage passwords.

Check Password

Check password settings are the rules Safeguard for Privileged Passwords uses to verify account passwords.

Navigate to Administrative Tools | Settings | Profile | Check Password.

The Check Password pane displays the following about the listed check password setting rules.

Table 172: Check Password: Properties
Property Description
Name

The name of the check password rule.

Partition The partition that uses the rule.
Description

Information about the rule.

Schedule Displays the selected rule's schedule.

Use these toolbar buttons to manage the check password setting rules.

Table 173: Check Password: Toolbar
Option Description
Add Check Password Setting Add a check password rule. For more information, see Adding check password settings.
Delete Selected

Remove the selected rule.

Refresh Update the list of check password rules.
Edit Modify the selected rule.
Copy "Clone" the selected rule.
Related Documents