Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0 LTS - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Service Discovery Results

Setting up Service Discovery

To discover Windows services, you must first create an Account Discovery job, including an Account Discovery Rule, and select Discovery Services. When the discovery job is run, services are discovered. The discovery of services is not dependent on the discovery rules. For more information, see Adding an Account Discovery job.

Viewing Service Discovery Results

Service Discovery is configured on an Account Discovery job but runs separately. You can view the results of service discovery by time frame.

  1. Navigate to Administrative Tools | Discovery and click the Service Discovery Results tile.
  2. On the Service Discovery Results grid:
    • Click Refresh to refresh the results.
    • Select the time frame of the completed jobs you want to display which ranges from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
  3. Click Search and enter the character string to be used to search for a match. For more information, see Search box.
  4. View the following information displays for each job:

    • User: The user who ran the job or Automated System, if the job is run on an automated schedule.

    • Date: The most recent date the Account Discovery job successfully ran.
    • Asset: The asset that is associated with the discovery job.
    • Event: The outcome of running the discovery job event, which may be Service Discovery Started, Service Discovery Succeeded, or Service Discovery Failed. Succeeded and failed appear in Event on the Service Discovery Results dialog. All three events display in the Activity Center.
    • Partition: The partition in which the discovered service accounts will be managed.
    • Profile: The partition profile that will govern the discovered service accounts.
    • Account Discovery Job: Name of the discovery schedule.
    • Appliance: The name of the Safeguard for Privileged Passwords Appliance.
    • # Accounts Found: The number of service accounts found during the discovery job.
  5. For additional detail on a Service Account Discovery job result, double-click the result row to view the Service Account Discovery Results pop-up window. On this window, click # of Accounts Found to see a list of the accounts.

Discovered Services

The Discovery | Discovered Services tile displays information for the selected partition on which the services were discovered. If desired, dependencies must be manually removed.

The Asset Administrator or delegated administrator can configure service discovery jobs to scan Windows assets and discover Windows services and tasks that may require authorization credentials. If the Windows asset is joined to a Windows domain, the authorization credentials can be local on the Windows asset or be Active Directory credentials.

Running Service Discovery jobs automatically and manually

Discovered services and tasks association to known Safeguard accounts

Service discovery jobs associate Windows services and tasks with accounts that are already managed by Safeguard for Privileged Passwords. The accounts put under management display with an Account Status of Managed. When the account's password is changed by Safeguard, Safeguard updates the password corresponding to the services or tasks on the asset according to the asset's profile change settings.

Service Discovery with Active Directory

A discovered service or task configured to use Active Directory authentication can be automatically associated to the asset with the account managed by Safeguard. Effectively, the asset will have an account dependency on the account.

To automatically associate, the Account Discovery job (which runs when Safeguard synchronizes the directory) must have the Automatically Manage Found Accounts check box selected. For more information, see Adding an Account Discovery rule.

View Service Discovery job status

From the Activity Center, you can select the Activity Category named Service Discovery Activity, which shows the Event outcomes: Service Discovery Succeeded, Service Discovery Failed, or Service Discovery Started.

Discovered Services toolbar and properties

Navigate to Administrative Tools | Discovery | Discovered Services tile.

Use these toolbar buttons to manage the discovered services.

Table 75: Discovery: Discovered Services toolbar
Option Description

Partition

Select the partition for the discovered services.

Show | Ignore

The Show and Ignore buttons control the Service Ignored column on this window so the administrator can either display or ignore the rows.

The Account Status column is controlled by the Manage and Ignore buttons on the Discovered Accounts grid. For more information, see Discovered Accounts.

Show Ignored

Display the accounts with a Status of Ignored.

Hide Ignored

Hide the accounts with a Status of Ignored.

Refresh

Retrieve and display an updated list of discovered accounts. Ignored accounts are not displayed if Hide Ignored is selected.

Search

Enter the character string to be used to search for a match. For more information, see Search box.

The grid shows the Asset Name, Account, Domain Name, System Name, and Account Status for the Discovered Account that Safeguard found that is matched up with the service discovered. The service is identified by a Service Name (with a Service Type of Service or Task).

Table 76: Discovery: Discovered Services properties
Property Description
Asset Name

The name of the asset where the service or task was discovered.

Account

The name of the account that maps to the Discovered Account column.

Domain Name

The domain name of the account if the account is an Active Directory account. Used to help determine uniqueness.

System Name

The system or asset that hosts the discovered mapped account.

Account Status

The Account Status column is controlled by the Manage and Ignore buttons on the Discovered Accounts grid. For more information, see Discovered Accounts.

The discovered account may be:

  • Managed: A discovered account that is managed
  • Blank (no value): A discovered account that was not auto managed when discovered
  • Ignored: A discovered account that was not auto managed and was ignored from discovery
  • Disabled: A discovered account that previously had the status of Managed and then was marked Ignored
Dependent Account

A check displays if the account is associated as an account dependency on the asset. The value is blank if the account is not associated as an account dependency of the asset. This automatic dependency mapping only happens if the Automatically Manage Found Accounts option is selected on the Account Discovery job associated with the partition profile that is associated to the asset. For more information, see Adding an Account Discovery job.

Service Type

Type of service discovered. Values may be Service or Task.

Service Name

The name of the discovered service or task.

Service Enabled

A check displays if the service or task on the asset is enabled on the target machine. If there is no check mark, the service or task is disabled on the target machine.

Service Ignored

Ignored means the service or task will not show up in the grid. In other words, the service or task is hidden. This is controlled by the Show | Ignore actions on this grid.

Discovered Account

The discovered account name. If the account has an Account Status of Managed, then the Account, Domain Name, and System Name display.

Date/Time Discovered

The date and time when the service or task was discovered.

 

 

Entitlements

A Safeguard for Privileged Passwords entitlement is a set of access request policies that restrict system access to authorized users. Typically, you create entitlements for various job functions; that is, you assign permissions to perform certain operations to specific roles such as Help Desk Administrator, Unix Administrator, or Oracle Administrator. Password release entitlements consist of users, user groups, and access request policies. Session access request entitlements consist of users, user groups, assets, asset groups, and access request policies.

The Auditor and the Security Policy Administrator have permission to access Entitlements. An administrator creates an entitlement then creates one or more access request policies associated with the entitlement, and finally add users or user groups.

Go to  Administrative Tools and click Entitlements. The Entitlements view displays.

If there are one or more invalid or expired policies, a Warning and message like Entitlement contains at least one invalid policy. displays. Go to the Access Request Policy tab to identify the invalid policy. For more information, see Access Request Policies tab.

The following information displays about the selected entitlement:

  • General tab: Displays the general and time restriction settings information for the selected entitlement.
  • Users tab: Displays the user groups or users who are authorized to request access to the accounts or assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a Safeguard for Privileged Sessions join and was assigned and used by a Sessions Appliance. The certificate users created during the join can be added to the Users tab but are not there by default.
  • Access Request Policies tab: Displays the access request policies that govern the accounts or assets in the selected entitlement, including session access policies.
  • History tab: Displays the details of each operation that has affected the selected entitlement.

Use these toolbar buttons to manage entitlements.

Related Topics

Adding an entitlement

Modifying an entitlement

Creating an access request policy

Modifying an access request policy

Deleting an access request policy

General tab

The Administrative Tools | Entitlements | General tab lists information about the selected entitlement.

Large tiles at the top of the tab display the number of Users, Accounts, and Assets associated with the selected entitlement. Clicking a tile heading opens the corresponding tab.

Table 77: Entitlements General tab: General properties
Property Description
Name

The entitlement name.

Priority

A unique number that determines the processing order of the entitlement in relation to other entitlements. For more information, see About priority precedence.

Table 78: Entitlements General tab: Time restrictions properties
Property Description
Time Restrictions

The days and times this entitlement is in effect. For more information, see About time restrictions.

Expires

The day and time this entitlement expires.

Description: Information about the selected entitlement.

Related Topics

Modifying an entitlement

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating