Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

Time Zone

Safeguard for Privileged Passwords sets a default time zone based on the location and culture of the person performing the set up. The time zone is expressed as UTC + or – hours:minutes and is used for timed access (for example, access from 9 am to 5 pm). It is recommended that the Bootstrap Administrator set the desired time zone on set up. An Authorizer Administrator can also change the time zone.

To configure the time zone

  1. Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone.
  2. Select the time zone in the Default User Time Zone drop-down menu.

Sessions settings

NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.

The embedded sessions module in One Identity Safeguard for Privileged Passwords enables you to issue privileged access to users for a specific period or session and gives you the ability to record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements.

It is the responsibility of the Appliance Administrator to configure the One Identity Safeguard for Privileged Passwords Privileged Sessions settings.

Navigate to Administrative Tools | Settings | Sessions.

Table 177: Sessions settings
Setting Description
Session Recordings Storage Management Where you assign an archive server to an appliance for storing session recordings produced by that appliance.
Embedded sessions module Where you can view the current status of the sessions module, enable debug logging, and reset the sessions module if the module is not responding and users cannot connect to their target systems.
SSH Banner

Where you define the banner text shown to session users notifying them that they are being recorded.

SSH Host Key Where you specify the SSH key to be used for authentication to an SSH session.

Session Recordings Storage Management

NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.

You can immediately archive session recordings from a specific Safeguard for Privileged Passwords Appliance to a specified archive target. When an archive server is configured, session recordings for that appliance are removed from the Safeguard for Privileged Passwords Appliance and stored on the archive server. Use the Session Recordings Storage Management pane to assign archive servers to your Safeguard for Privileged Passwords Appliances.

IMPORTANT: When storing session recordings locally, once the local storage reaches capacity, the oldest recordings will be deleted. When storing session recordings to an archive server, the session recording is archived to the designated server immediately upon completion. As soon as the recording is copied to the archive server, it is removed from the appliance storage.

Safeguard for Privileged Passwords allows you to play back a recording that is stored locally or on the archive server. However, if you are playing back a recording that is stored on an archive server you will need to download it before you can play it. For more information, see Replaying a session.

Navigate to Administrative Tools | Settings | Sessions | Sessions Recordings Storage Management.

Table 178: Session Recordings Storage Management: Properties
Property Description
Appliance ID

The ID assigned to an appliance.

Archive Server Name The name of the designated archive server.

Use these toolbar buttons to manage archive server configurations for session recordings.

Table 179: Session Recordings Storage Management: Toolbar
Option Description

Refresh

 Update the list of designated archive servers being used to archive session recordings.

Assign Archive Server to Appliance

Specify the archive server to be associated with the selected appliance. Clicking this button displays the Archive Servers dialog allowing you to select the archive server where session recordings are to be stored for the selected appliance. For more information, see Assigning an archive server to an appliance.

Unassign Archive Server from Appliance

Unassign the specified archive server from the selected appliance.

Assigning an archive server to an appliance

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session.

It is recommended that you assign an archive server to each appliance in your Safeguard for Privileged Passwords deployment to store that appliance's session recordings. This best practice will prevent you from filling up the appliance's local disk space.

IMPORTANT: Clustered environment: It is highly recommended that you assign an archive server to at least the primary appliance in a clustered environment. You may also want to consider assigning an archive server to each individual appliance in the cluster.

If a replica in the cluster does not have an archive server assigned to it for its session recordings, the primary appliance will act as a proxy for archiving any recordings for that replica. If the primary appliance does not have an archive server assigned for session recordings, the following will happen:

  • Any recorded session produced by the primary appliance will remain on the primary appliance.
  • All recorded sessions produced by any replica in the cluster without an assigned archive server will also remain on the primary appliance.
  • Each of these recordings will be replicated to every cluster member and therefore consume a lot of disk space throughout the cluster.

Therefore, in order to avoid filling up the appliances' disk space, not only on the primary appliance but also on the replica appliances, is to ensure that at least the primary appliance has an archive server assigned for storing session recordings.

To assign an archive server to an appliance

NOTE: Clustered environment: Log into the primary appliance to assign archive servers to your primary appliance and replica appliances.

  1. In Administrative Tools | Settings | Backup and Retention | Archive Servers to configure your archive servers. For more information, see Adding an archive server.

  2. In Administrative Tools | Settings | Sessions | Session Recordings Storage Management to assign an archive server to the appliance.

    1. Select the appliance from the grid.

    2. Click the Assign Archive Server to Appliance toolbar button.

    The name of the target archive server will appear in the Archive Server Name column.

Related Documents