Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Safeguard Access settings

Safeguard for Privileged Passwords allows you to configure these settings related to accessing One Identity Safeguard for Privileged Passwords. Navigate to Administrative Tools | Settings | Safeguard Access.

Table 176: Safeguard for Privileged Passwords Access settings
Setting Description
Login Control Where you configure the user login control settings.
Password Rule Where you configure user password complexity rules.

Time Zone

Where you can set the time zone.

Login Control

It is the responsibility of the Appliance Administrator to initially set up user log in controls such as the number of failed sign-in attempts before locking out an account.

To configure the login controls

  1. Navigate to Administrative Tools | Settings | Safeguard Access | Login Control.
  2. Provide the following information:
    Token Lifetime

    Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.

    Range: 10 minutes to 28800 minutes (20 days)

    Default: 1440 minutes (1 day)

    Lockout Duration

    Set the number of minutes a locked out account remains locked.

    Range: 1 to 9999 minutes; A setting of 9999 requires an administrator to manually unlock the account.

    Default: 15 minutes

    Lockout Threshold

    Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.

    If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.

    Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins.

    Default: 5 consecutive failures

    TIP: Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

    Lockout Window

    Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.

    Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.

    Default: 10 minutes

    Disable After

    Set the number of days to wait before automatically disabling an inactive user account.

    If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.

    NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.

    Range: 14 to 365 days

    Default: 365 days

    Inform User of Disabled Account

    Select this option to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user.

    Default: Not set

    Inform User of Locked Account

    Select this option to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account.

    Default: Not set

    Minimum Password Age

    Set the number of days a user must wait before changing his or her password.

    Range: 0 to 14 days

    Default: 0

    Maximum Password Age

    Set the number of days users can use their current password before they must change it.

    Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.

    Default: 42 days

    Password Age Reminder

    Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.

    Range: 0 to 30 days

    Default: 14 days

    Password History

    Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in first-out basis.

    NOTE: Administrators are not restricted by the password history setting.

    Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.

    Default: 5 stored passwords

Password Rule

Navigate to Administrative Tools | Settings | Safeguard Access| Password Rule .

Password rules define the complexity requirements for user authentication to Safeguard for Privileged Passwords. You can create rules governing the type of password a user can create, such as:

  • Set the allowable password length in a range from 3 to 225 characters.
  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

Note: These rules only apply to local users; they do not impact users accessing Safeguard for Privileged Passwords from an external provider such as Microsoft Active Directory. The password rules are listed in the Set password dialog. For more information, see Setting a local user's password.

Related Topics

Safeguard Access settings

Modifying user password requirements

Account Password Rules

Modifying user password requirements

It is the responsibility of the Authorizer Administrator to configure the user password rules.

To configure user password rules

  1. Navigate to Administrative Tools | Settings | Safeguard Access | Password Rules.
  2. Set the Password Length from 3 to 255 characters.

    Default: 8 to 64 characters

    Note: The maximum length must be equal to or greater than the sum of minimum characters described in the next step.

  3. Set the character Requirements:

    • Password Length: Set a range for the password allowable length from 3 to 255 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have 2 uppercase letters, 2 lowercase letters, and 2 numeric characters, the minimum Password Length must be 6.

    • First Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Last Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Repeated Characters: Choose one of the following:
      • Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
      • No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
      • No repeated characters: All letters, numbers, or symbols can only be used once in the password.
    • Alpha Character:
      • Allow Uppercase: Select to allow uppercase (capital) letters.
        • Minimum of [enter a number] Required Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any uppercase characters you want to exclude from the password. This field is case sensitive.
      • Allow Lowercase: Select to allow lowercase (small) letters.
        • Minimum of [enter a number] Required Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
      • Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Max Allowed.

        For example, if you set the Max Allowed at 2 then you can not have more than 2 alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has 3 alphabet characters in a row.

    • Numeric Character:
      • Allow Numeric (0-9): Select to allow numeric characters in the password.
        • Minimum of [enter a number] Required Numbers: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at 0.
        • Click Advanced to set the following:
          • Limit Consecutively Repeated Numeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated numbers. You must enter a Max Allowed value of 1 or more.
          • Excluded Characters: Enter any numbers (0 though 9) you want to exclude from the password.
    • Alphanumeric Characters
      • Limit Consecutively Repeated Alphanumeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated alphanumeric characters. You must enter a Max Allowed value of 1 or more.
    • Symbols:
      • Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
      • Minimum of [enter number] Required Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at 0.
      • Click Advanced to set the following:
        • Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Max Allowed value of 1 or more.
        • Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
        • Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
  4. Click Test Rule to check the rules set.
  5. When the rules are complete, click OK.

 

 

Related Documents