Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.7 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Add Condition (asset discovery)

An Asset Discovery rule can have more than one condition, and each condition can have one or more constraints. When Safeguard for Privileged Passwords runs the discovery job, it finds all assets that meet all of the search conditions.

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Add Condition.

Add Find All condition

  1. In the Condition dialog, in Find By, choose Find All.

  2. If you are setting up an Asset Discovery job for a directory, Browse the Filter Search Location to select a container within the directory to search for assets. Select Include objects from sub containers to include objects from sub containers or clear the check box to exclude child objects from discovery.

  3. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  4. Click OK.

Add Constraints condition

  1. In the Condition dialog, in Find By, choose Constraints.
  2. To change the Filter Search Location, click Browse and select the search location that is the scope of the search. Network Scan Asset Discovery jobs don't support the search bases settings.

  3. (Optional) Select Include objects from sub containers to discover assets in sub-containers.

  4. To apply constraints (search criteria):

    1. Select a property:

      • Name
      • Description
      • Network Address
      • Operating System

      • Operating System Version

      NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.

    2. Select an operation:

      • Equals
      • Not Equals
      • Starts With
      • Ends With
      • Contains
    3. In the text box, type a value of up to 255 characters. The search is case-sensitive and does not allow wild cards.
  5. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.
  6. You can add or delete search constraints:
    1. Click Add to additional constraints to your search criteria.
    2. Click Delete to remove the corresponding constraint from your search criteria.
  7. Click OK to save your selections.

Add LDAP Filter (for LDAP or Active Directory) condition

Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).

  1. In the Condition dialog,
    1. Find By: Choose LDAP Filter and enter the search criteria to be used. 

    2. Filter Search Location: Browse to select a container within the directory to search for assets.

      TIP: Do not select the Directory Root for Asset Discovery jobs.

    3. Include objects from sub containers: Optionally, select this check box to search for assets in sub-containers.
  2. Click Preview to test the conditions you have configured.
  3. Click OK to save your selections.

Add Group for a Directory condition

This condition is only available for a Directory discovery job.

  1. In the Condition dialog:
    1. Find By: Choose Group.
    2. Click Add to launch the Group dialog.

    3. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

    4. Filter Search Location: Browse to select a container to search within the directory.
    5. Include objects from sub containers: Select this check box to include child objects.
    6. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.

  2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  3. Click OK to save your selections.

Edit Connection Template (asset discovery)

You can change how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets. The default Connection Template is None so assets are authenticated manually.

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Connection Template.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To edit connection template information

  1. Navigate to the Asset Discovery Rule dialog, click Edit next to Connection Template.
  2. In the Connection Template dialog, Product defaults to Use Discovered Platform. You can select a different product and may need to completed additional information based on the product selected.

  3. Select an Authentication Type:

    • SSH Key: To authenticate to the asset using an SSH authentication key.

      • Browse to select an SSH Key and provide the service Service Account Name.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.

      • Under Service Account Name, click Select Account to choose the directory account. The Service Account Profile for the directory account displays for reference.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Password: To authenticate to the assets using a local service account and password.

      • Enter the Service Account Name and Password.
      • You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
    • None: The accounts associated with the asset are not managed and no asset related credentials are stored.

  4. Click Advanced to enter settings if you selected one of these authentication types: SSH Key, Directory Account, or Password. If you selected None, the Advanced settings are not needed and are ignored, if entered.

    • Privilege Elevation Command:

      If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.

    • Port: Enter the port number for the connection.
    • Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.
    • RDP Port: Specify the access port on the target server to be used for RDP session requests.
    • SSH Port: Specify the access port on the target server to be used for SSH session requests.
    • Connection Timeout: The session timeout period.
    • Privilege Level Password: Enter the system enable password to allow access to the configuration.
    • Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).
    • Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL

    • Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset’s certificate in Safeguard for Privileged Passwords's Trusted Certificates store. One Identity does not recommend disabling this option in production environments.

    • Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.
    • Instance: Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
  5. Click OK.
  6. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.

Add Asset Profile (asset discovery)

During Asset Discovery, Safeguard for Privileged Passwords automatically adds the assets that it finds and begins to manage them according to the settings in the asset profile you set on the Rules tab.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Asset Profile.

To edit the asset profile information

  1. Click Edit next to Asset Profile.

  2. Browse to select a profile to govern the discovered assets.

    Note: You can only choose a profile that is associated with the partition selected in the General tab (asset discovery).

  3. Click OK to save your selection.

Schedule tab (asset discovery)

From the Asset Discovery dialog, Schedule tab, configure when you want to run the Asset Discovery job.

Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)

  • Configure the following.

    To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

    • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.

    • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

    • Days: The job runs on the frequency of days and the time you enter.

      For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

    • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

      For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

    • Months: The job runs on the frequency of months at the time and on the day you specify.

      For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

  • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

    For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

    Enter Every 10 Minutes and Use Time Windows:

    • Start 10:00:00 PM and End 11:59:00 AM

    • Start 12:00:00 AM and End 2:00:00 AM

      An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

    If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

    For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

    For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

  • Time Zone: Select the time zone.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating