Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0 LTS - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

What's new in version 2.10.0.10980

One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.

A2A service supports events for multiple accounts (804349)

Using the A2A service, an administrator can use a single signalR connection to monitor password change events for multiple accounts across multiple A2A registrations.

A signalR connection failure message is returned if any of the following occur:

  • The accounts sent in the authorization header is larger than 8K.
  • One or more of the API keys sent failed validation.
  • One or more of the API keys sent failed to match the user certificate used for authentication. This may occur across multiple A2A registrations.

Active Directory account discovery dynamic tags and dynamic groups (798532)

An Asset Administrator can:

  • Dynamically tag an account from Active Directory.
  • Add an account to a dynamic account group based on membership in an Active Directory group.
  • Add an account to a dynamic account group based on if the account is in a particular organizational unit (OU) in Active Directory.

The options to select Include objects from sub containers is available when adding an account discovery rule from Administrative Tools | Discovery | Account Discovery | Account Discovery Rule dialog. For more information, see Adding an Account Discovery rule.

Configure Web Client Inactivity Timeout (803424, 782603)

The Appliance Administrator can configure the Web Client Inactivity Timeout which is the time that has elapsed since the user made a request to the server. The minimum value is 5 minutes and the maximum value is 2880 minutes (2 days). When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes. To configure the value, navigate to Administrative Tools | Settings | Safeguard Access | Login Control and set Web Client Inactivity Timeout.

"Other Managed" platform type (805372)

To ensure the automation environment is compliant, a System Integrator can use a generated password that is securely stored and periodically rotated.

To ensure compliance in an ultra secure environment, an Asset Administrator can manage an asset that Safeguard for Privileged Passwords cannot connect to (for example, when there is a one-way firewall).

In the Add Asset dialog under the Management tab, select the Product setting Other Managed. When selected, Safeguard for Privileged Passwords stores the password and can automatically check and change it per the profile configuration. There is no active connection or service account. The passwords are rotated internally and an event notifications is sent when the rotation is complete. Another component or piece of automation can change the password or make use of the password in the configuration files. For example, a listener can pick up the change event via the Safeguard for Privileged Passwords Application to Application (A2A) service and perform actions, as required.

What's new in version 2.11.0.11444

One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.

Access requests proceed regardless of the review state of an earlier request (TFS 805354/DevOps 191598)

Policy Administrators can choose to allow subsequent access requests to proceed even if the required review on a previous access request is incomplete. This prevents blocking a new session request when the prior request requires a review and the review is not done. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy) | Reviewer tab. For more information, see Reviewer tab.

Audit history for passwords and sessions (TFS 797263/DevOps 191549)

In preparation for a future release of Safeguard for Privileged Sessions, a toggle has been added to allow the Safeguard for Privileged Passwords Appliance Administrator to push audit data to SPS. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services. For more information, see Enable or Disable Services .

Azure to run in the cloud (191524)

Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace.

Generic ticket system without ticket system validation (TFS 794519/Dev Ops 191534)

Policy Administrators can require requesters to reference a ticket number in their password or session access request. Tickets do not have to be validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request and serves as a reference visible in the Activity Center. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems. In Type, select Other. For more information, see Ticketing systems.

Support dynamic grouping for assets based on Active Directory groups (TFS 806225/ DevOps 191499)

Implementers can create tags / asset groups based on any Active Directory group of which the asset is a member unrelated to discovery.

For account or asset groups, use the rule editor controls on:

  • Account Rules tab of the Dynamic Account Group dialog
  • Asset Rules tab of the Dynamic Asset Group dialog

To add a dynamic tag for an asset or asset account, use the New button on the Tags pane in the Settings | Asset Management settings page.

Web client (TFS 795288/DevOps 200361)

The Safeguard for Privileged Passwords web client provides a web-based user interface that can be used instead of the desktop client for the request workflow and some administration functions.

Requesters use the web client to:

  • Search for and request password access, session access, or both.
  • Concurrently request access to multiple passwords and sessions.
  • Create and use a favorite to quickly access the common access requests.

Reviewers use the web client to review requests.

Approvers use the web client to:

  • See the access requests awaiting approval.
  • See which access requests require immediate attention.
  • View the details of each access request.
  • Approve or deny an access request.
  • Select multiple access requests to approve or deny at the same time.
  • Return to an approved, active access request and revoke the request.

Administrators can also use the web client to:

  • Configure time, network, and license.
  • Shutdown or reboot the appliance

For more information, see Using the web client.

Windows SSH platform (TFS 792427/DevOps 191511)

Safeguard for Privileged Passwords can utilize SSH to connect to the target Windows asset and run commands to manage standard platform tasks. Using SSH only requires opening a single well known SSH port. OpenSSH is the recommended connectivity tool; however, other SSH servers may also work. Windows SSH assets support both SSH password and SSH session access requests. From Administrative Tools | Assets | Management tab, you can select the Product as Windows SSH and the Version.

Best practices

When configuring the SSH service on the asset, it is recommended to use automatic (versus manual) startup. You can also set the default shell to PowerShell. You can control this by going to HKLM\SOFTWARE\OpenSSH and creating a new string value called "DefaultShell and setting it to C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

Glossary

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating