Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Help Desk Administrator permissions

A Help Desk Administrator:

  • Sets passwords for non-administrative user accounts.
  • Unlocks accounts for all user accounts.

NOTE: Help Desk Administrators can only view the user object history for their own account.

Table 232: Help Desk Administrator: Permissions
Navigation Permissions
Activity Center View and export user activity events.

Administrative Tools | Toolbox

Access to the Users view and the Tasks pane.
Administrative Tools | Settings:  
  • Messaging

(View only) Login notification.

Set message of the day.

  • Safeguard Access

View only: Login control, password rules, and time zone.

Administrative Tools | Users

Set passwords and unlock accounts for non-administrator users.

A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password.

Operations Administrator permissions

The Operations Administrator monitors the status of the appliance and can reboot the appliance.

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.

Table 233: Operations Administrator: Permissions
Navigation Permissions

Activity Center

View and export appliance activity events.

Administrative Tools | Toolbox Access to the Tasks pane.

Administrative Tools | Settings | Access Request

(View only) Enable or disable configurations for:

  • Access requests
  • Password and SSH key management services
  • Discovery of objects
  • Directory sync
  • Session module password access

Administrative Tools | Settings | Appliance

Appliance actions including:

  • Appliance information and control:
    • The status of the appliance, performance, and memory.
    • Shut down or restart the appliance.
  • (View only) Enable or disable services including the Application to Application functionality and the Audit Log Stream Service.
  • (View only) Licensing to add or update the Safeguard for Privileged Passwords license.
  • Enable or disable Lights Out Management (BMC).
  • Network diagnostics to run diagnostic tests on your appliance.
  • (View only) Networking to view and configure the network interface and, if applicable, the sessions network interface.
  • (View only) Operating system licensing for the virtual appliance.
  • (View only) Time to enable Network Time Protocol and set the primary and secondary NTP server.

Administrative Tools | Settings | Backup and Retention

View only, except an Operations Administrator can take a backup. As mentioned earlier, it may appear the Operations Admin can edit data, but the operation cannot be saved.

  • Archive server
  • Audit log management
  • Backup and restore (can take a backup)
  • Backup retention

Administrative Tools | Settings | Certificates

View only:

  • Audit log signing certificate
  • Certificate signing request
  • SSL certificates
  • Trusted certificates

Administrative Tools | Settings | Cluster

View only:

  • Cluster management and health monitoring.
  • Managed networks definition for load distribution.
  • Offline workflow to trigger if an appliance has lost consensus to resume offline workflow.
  • Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable.

Administrative Tools | Settings | External Integration

View only:

  • Application to Application (A2A) configuration for application registrations.
  • Approval Anywhere service for access request approvals.
  • Email to send event notifications.
  • Identity providers and authentication providers to use when logging in; can view the grid but not details.
  • SNMP configuration to send SNMP traps to the SNMP console.
  • Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA).
  • Syslog server configuration to send event notifications.
  • Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system.

Administrative Tools | Settings | Messaging

Perform messaging activities including:

  • (View only) Login notification configuration.
  • Message of the day creation.

Safeguard Access

View only:

  • Login control configuration for user login settings.
  • Password rules configuration including complexity rules.
  • Time zone to set the time zone.

Security Policy Administrator permissions

The Security Policy Administrator configures the security policies that govern the access rights to accounts and assets, including the requirements for checking out passwords, such as the maximum duration, if password or SSH key reasons are required, if emergency access is allowed, and so on. This user may not know any details about the assets.

This user configures time restrictions for entitlements and who can request, approve and review access requests.

  • Creates account groups, asset groups, and user groups.
  • Creates entitlements.
  • Configures access request policies.
  • Adds users or user groups to entitlements to authorize those accounts to request passwords.
  • Can assign linked accounts to users for entitlement access policy governance.

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

Table 234: Security Policy Administrator: Permissions
Navigation Permissions

Dashboard | Access Requests

Full control to manage access requests.

Activity Center

Perform activities:

  • View and export security-related activity events, including access request events
  • Audit access request workflow

Reports

View and export entitlement reports

Administrative Tools | Toolbox

Perform activities:

  • Access to the Account Groups, Asset Groups, Entitlements, Users, and User Groups view
  • Access to the Tasks pane.

Administrative Tools | Account Groups

Perform account group activities including:

  • Add, modify, or delete account groups and dynamic account groups
  • Add accounts to account groups
  • Add access request policies to account groups
Administrative Tools | Asset Groups

Perform asset group activities including:

  • Add, modify, or delete asset groups and dynamic asset groups
  • Add assets to asset groups
  • Assign acces request policies to asset groups

Administrative Tools | Entitlements

Perform entitlement activities including:

  • Add, modify, or delete entitlements
  • Add users or user groups to entitlements
  • Define and maintain access request policies
  • Assign policies to entitlements

Administrative Tools | Settings:

 
  • Access Request | Reasons
Add, modify, or delete reason codes.
  • Cluster | Session Appliances

If Safeguard for Privileged Passwords (SPP) is linked to Safeguard for Privileged Sessions (SPS), view the appliance information for the link.

  • External Integration

Perform external integration activities including:

  • Application to Application (A2) configuration for application registrations.
  • Approval Anywhere service for access request approvals.
  • Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA).
  • (View only) Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system.
  • Messaging

Messaging including:

  • (View only) Login notification configuration
  • Message of the day creation
  • Safeguard Access

View only: Login control, password rules, time zone

Administrative Tools | Users

Perform user activities including:

  • Add users to user groups including setting Personal Passwords permission to use the personal password vault
  • Add users to entitlements
  • Link directory accounts to a user
  • View and export the history of users

Administrative Tools | User Groups

Perform user group activities including:

  • Add, modify, or delete local user groups
  • Add local or directory users to user groups
  • Assign entitlements to user groups
  • View and export the history of users

User Administrator permissions

The User Administrator:

  • Creates (or imports) Safeguard for Privileged Passwords users.
  • Grants Help Desk Administrator permissions to users.
  • Sets passwords, unlocks users, and enables or disables non-administrator user accounts.
  • Also has Help Desk Administrator permissions.

Considerations: 

  • User Administrators cannot modify administrator passwords, including their own.
  • User Administrators can change the permissions for their own account, which may affect their ability to grant Help Desk Administrator permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Table 235: User Administrator: Permissions
Navigation Permissions

Activity Center

View and export user activity events

Administrative Tools | Toolbox

Access to the Users and User Groups view

Access to Tasks pane

Administrative Tools | Settings:  
  • External Integration |Identity and Authentication
View only
  • Messaging | Message of the Day

(View only) Login notification

Set message of the day

  • Safeguard Access

View only: Login control and password rules

Time Zone: View the time zone and control whether users can modify their own time zone or not

Administrative Tools | Users

Perform actions including:

  • Add, modify, delete, or import local and directory users including setting Personal Passwords permission to use the personal password vault
  • Set passwords and unlock accounts for non-administrator users; a Help Desk Administrator can unlock another Help Desk user but cannot set that user's password
  • Enable or disable non-administrative users
  • Set Help Desk Administrator permissions

Administrative Tools | User Groups

Perform actions including:

  • View and delete user groups
  • Add or delete directory groups, if a directory has been added
  • Set Personal Passwords permission to use the personal password vault
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating