Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.9 LTS - Evaluation Guide

Creating authorizor admin and local admin users

Once you have successfully installed the desktop client application, you must add the objects you need to write access request policies, such as users, accounts, and assets. If your company practices the principles of separation of duties (SoD), the Authorizer Administrator needs to create the following additional administrators.

NOTE: A user can be assigned more than one set of permissions.

To add local administrator users

  1. Log in to the Windows desktop client application as the Bootstrap Administrator.
  2. From the Home page, navigate to Administrative Tools and select Users.
  3. Add the following additional local administrator users.

    IMPORTANT: After creating, log out as the Bootstrap Administrator and log in as the Authorizer Administrator. It is recommended you disable the Bootstrap Administrator for security purposes.

    Username Password Permissions Description



    (Log in as this user to create all other administrators.)




    The administrator responsible for creating all other administrators

    ApplianceAdmin Test123


    The administrator responsible for configuring the appliance
    AssetAdmin Test123 Asset The administrator responsible for adding and managing partitions, assets, and accounts
    Auditor Test123 Auditor The administrator responsible for reviewing all access request activity
    PolicyAdmin Test123 Security Policy The administrator responsible for defining the entitlements and policies that control which assets and accounts a user can access
    UserAdmin Test123 User The administrator responsible for managing users

NOTE: When you choose certain permissions, Safeguard for Privileged Passwords also selects additional permissions. Do not clear these additional settings.

Before you log out, verify that Safeguard for Privileged Passwords added these users.

To view the audit log

  1. From the Home page, navigate to the  Activity Center.
  2. Leave the default search criteria (I would like to see all activity occurring within the last 24 hours).
  3. Click Run.
  4. Explore the results.

    As the Authorizer Administrator, you can view User Authentication and Object History for Audit Events pertaining to users.

  5. Log out.

Configuring external integration settings

First we will log in to the desktop client with an Appliance Administrator account (ApplianceAdmin) to configure the following external integration settings:

  • Starling join (used for secondary authentication and Approval Anywhere)
  • Email notifications

Joining Starling

One Identity Starling Two-Factor Authentication (2FA) is a Software-as-a-Service (SaaS) solution that provides two-factor authentication on a product, enabling organizations to quickly and easily verify a user's identity. This service is provided as part of the One Identity Starling cloud platform. By joining with One Identity Starling, Safeguard for Privileged Passwords customers can take advantage of companion features from multiple Starling services, such as Starling Two-Factor Authentication and Starling Connect.

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling Two-Factor Authentication:

  • Secondary authentication

    Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.

    A Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging in to Safeguard for Privileged Passwords.

  • Approval Anywhere

    The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.

    Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere.

Later in the guide, we will step through the process of configuring a user to require two-factor authentication as well as logging in with two-factor authentication. We will also discuss how to define the users who are authorized to use Approval Anywhere to approve access requests.

To join Safeguard for Privileged Passwords to Starling

NOTE: You must be an Organization Admin for the Starling organization in order to join Safeguard for Privileged Passwords with Starling.

NOTE: You must download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.

  1. Log in to the Windows desktop client as ApplianceAdmin.
  2. From the Home page, navigate to  Administrative Tools | Settings | External Integration | Starling.
  3. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. In addition, the Administrative Tools | Settings | External Integration | Identity and Authentication pane displays Starling 2FA as a secondary authentication provider.

Stay logged in as the ApplianceAdmin for setting up email notifications.

Setting up email notifications

To demonstrate how Safeguard for Privileged Passwords sends out event notifications, you must configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. For the purposes of this software evaluation, we have you set up a template for Access Request Auto-Approval.

To setup email notifications

  1. Navigate to  Administrative Tools and select Settings.
  2. In Settings, select External Integration | Email.
  3. To configure the Email notifications, enter these settings for all Safeguard for Privileged Passwords emails:
    SMTP Server Address

    Enter the IP address or FQDN of the mail server.

    NOTE: If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.

    SMTP Port

    Enter the TCP port number for the email service.

    Sender Email

    Enter your email address.

    Require Transport Layer Security Select this option to require that Safeguard for Privileged Passwords uses TLS to provide communication security over the internet.

To validate your setup

  1. Select the Test Email Settings link.
  2. Enter your email address as the Send To email address and click Send.

    Safeguard for Privileged Passwords sends an email using the configuration settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating