You can modify an asset.
To modify an asset
- Navigate to Administrative Tools | Assets.
- In Assets, select an asset from the object list.
Select the view of the asset's information you want to modify (such as General, Accounts, Account Dependencies, Access Request Policies, Asset Groups, Discovered Services, or History).
To change an asset's connection information, for example, connection timeout, double-click the Connection information in the General tab or click the Edit icon. You can also double-click an asset name to open the General settings edit window.
NOTE: The following notes apply to attempting to change information on the General tab.
- Profile: You can only edit or remove a Service Account Profile when adding an asset. To update or remove the asset's service account profile, go to Accounts, select the service account, and edit it to update the profile. For more information, see General tab (account).
Management tab, Product: Other platform details: Any Other platform type can be changed to a different platform type. Conversely, any platform type can be changed to Other; however, any property values specific to the current platform type will be lost. For example, you may want to change an Other Linux operating system to any type of Linux, such as AIX, HP-UX, or Solaris. Then, the specific platform type can be changed back to Other, if needed.
- To add (or remove) an account to this asset, switch to the Accounts tab.
- To add (or remove) a directory account to a Windows server as an account dependency, switch to the Account Dependencies tab. For more information, see Adding account dependencies.
To view or export the details of each operation that has affected the selected asset, switch to the History tab. To export, select the time frame then click Export.
The Asset Administrator can delete an asset even if there are active access requests.
IMPORTANT: When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.
To delete an asset
- Navigate to Administrative Tools | Assets.
- In Assets, select an asset from the object list.
- Click Delete Selected.
- Confirm your request.
The Account Discovery tab is only available after Active Directory Asset has been created. On the Account Discovery tab, the default is Do not perform account discovery.
Table 70: Account Discovery tab properties
Select the description of the Account Discovery job desired and the details of the configuration display.
Click Add to add a job or Edit to edit the job. You can click the drop-down and select Do not perform account discovery.
||The partition in which to manage the discovered assets or accounts. |
||The type platform, for example, Windows, Unix, or Directory.|
The directory for account discovery.
Click Schedule to control the job schedule.
Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)
Configure the following.
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
Enter a frequency for Run Every. Then, select a time frame:
- Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.
- (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.
If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.
You may click Add, Delete, Edit, or Copy to update the Rules grid.
Details about the selected account discovery setting rules may include the following based on the type of asset.
- Name: Name of the discovery job.
- Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule.
- Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
- Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
- Set default password: A check mark displays if the rule causes default passwords to be set automatically.
- Set default SSH key: A check mark displays if the rule causes default SSH keys to be set automatically.
- Assign to Password Profile: The password profile assigned.
- Assign to Sync Group: The name of the assigned password sync group.
- Assign to SSH Key Profile: The name of the assigned SSH Key profile.
- Assign to SSH Key Sync Group: The name of the assigned SSH Key Sync group.
- Enable Password Request: A check mark displays if the passwords is available for release.
- Enable Session Request: A check mark displays if session access is enabled.
- Enable SSH Key Request: A check mark displays if SSH key request is enabled.
Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar then click CSV Template Assistant for the dialog. For more information, see Creating an import file.
Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status.
To import objects
- In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
- Click Import from the toolbar.
- In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
- Click OK. Safeguard for Privileged Passwords imports the objects into its database.
Considerations for valid and invalid data
Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
- Assets PlatformDisplayName property:
- If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
- If it does not find a partial match, it supplies the Other platform type.
- Users TimeZoneId property: If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone. Do not enter numbers or abbreviations for the TimeZoneId.
- Users Password property: Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Managed account users cannot be members of the Protected Users AD Security Group.
Additional information specific to directory import follows.
Import the directory (and service account) via Administrative Tools | Assets | Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
- Import users and user groups.
- Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
- Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
- Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
- Password (modifiable in LDAP and not modifiable in Active Directory)
- Network Address
- Operating System
- Operating System Version
Identity and Authentication Providers schema list
- First Name
- Last Name
- Work Phone
- Mobile Phone
- External Federation Authentication
- Radius Authentication
- Managed Objects