Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.7 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Adding an account to an asset

Use the Accounts tab on the Assets view to add an account to an asset. You can acc an account to an asset or add a directory account to a directory asset. Steps for both follow.

To add an account to an asset

  1. Navigate to Administrative Tools | Assets.
  2. In Assets, select an asset from the object list and open the Accounts tab.
  3. Click Add Account from the details toolbar.
  4. Enter the account information and click Add Account.

  5. In the Account dialog, enter the following information:

    • Name:

      • Local account: Enter the login user name for this account. Limit: 100 characters.
      • Directory Account: Browse to find the account.

    • Description: (Optional) Enter information about this managed account. Limit: 255 characters.

    • Profile: Browse to select a profile to govern this account.

      By default an account inherits the profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a profile.

    • Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.

    • Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.

    • (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.

Directory assets

If you add directory user accounts to a directory asset, Safeguard for Privileged Passwords will automatically change the user passwords according to the profile schedule you set, which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.

For Active Directory, the standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

To add a directory account to a directory asset

  1. Navigate to Administrative Tools | Assets.
  2. In Assets, select a directory asset from the object list and open the Accounts tab.
  3. Click Add Account from the details toolbar.
  4. In the Find Accounts dialog, click Browse to select a container within the directory as the Filter Search Location.
    1. The Include objects from sub containers check box is selected by default, indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.
    2. In the Name field, enter a full or partial account name and click Search.

      To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad," it will find any user Name or Distinguished Name that contains "ad." The text search is not case-sensitive and does not allow wild cards.

  5. The results of the search displays in the Select the Account(s) to Add grid. Select one or more accounts to add to Safeguard for Privileged Passwords.

    • Adding account dependencies

     

    One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.

    Configuring account dependencies on an asset

    1. Directory accounts:
      1. You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account.

      2. From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account.

    2. Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account. The service account must be a domain account if the asset is Windows SSH platform, but does not have to be a domain account if the asset is a Windows Server platform.
      Follow these steps:
      1. Navigate to Administrative Tools | Assets.
      2. Select a the asset (such as a Windows server) from the object list and open the Account Dependencies tab.
      3. Click Add Account from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.

    3. Discovery: To update the asset, you must configure the Account Discovery job for the dependent asset. Navigate to Administrative Tools | Discovery | Account Discovery and select these check boxes:

      • Discover Services
      • Automatically Configure Dependent System.

      For more information, see Adding an Account Discovery job.

    4. Partition profiles:

      1. The target directory account must be in the same partition profile as the dependent asset.
      2. You must configure the dependent asset's partition profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a profile.

    Adding an asset to asset groups

    Use the Asset Groups tab on the Assets view to add an asset to one or more asset groups.

    Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms.. This section lists SPP and SPS support by platform.

    To add an asset to asset groups

    1. Navigate to Administrative Tools | Assets.
    2. In Assets, select an asset from the object list and open the Asset Groups tab.
    3. Click Add Asset Group from the details toolbar.
    4. Select one or more asset groups from the list in the Asset Groups selection dialog and click OK.

    If you do not see the asset group you are looking for and have Security Policy Administrator permissions, you can click Create New and add the new asset group. Enter the information and click Add Asset Group. For more information on creating asset groups, see Adding an asset group.

    Modifying an asset

    You can modify an asset.

    To modify an asset

    1. Navigate to Administrative Tools | Assets.
    2. In Assets, select an asset from the object list.

    3. Select the view of the asset's information you want to modify ( such as General, Accounts, or Account Dependencies, Access Request Policies, Asset Groups, Discovered Services, or History).

      For example:

      • To change an asset's connection information, for example, connection timeout, double-click the Connection information in the General tab or click the  Edit icon. You can also double-click an asset name to open the General settings edit window.

        NOTEs:

        The following notes apply to attempting to change information on the General tab.

        • Profile: You can only edit or remove a Service Account Profile when adding an asset. To update or remove the asset's service account profile, go to Accounts, select the service account, and edit it to update the profile. For more information, see General tab (account).

        • Management tab, Product: Other platform details: Any Other platform type can be changed to different platform type. Conversely, any platform type can be changed to Other, however, any property values specific to the current platform type will be lost. For example, you may want to change an Other Linux operating system to any type of Linux, such as AIX, HP-UX, or Solaris. Then, the specific platform type can be changed back to Other, if needed.

      • To add (or remove) an account to this asset, switch to the Accounts tab.
      • To add (or remove) a directory account to a Windows server as an account dependency, switch to the Account Dependencies tab. For more information, see Adding account dependencies.

    4. To view or export the details of each operation that has affected the selected asset, switch to the History tab. To export, select the time frame then click Export.

    Related Topics

    Adding an asset

    Adding a custom platform

    Creating a custom platform script

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating