Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Reviewer tab

Use the Reviewer tab to define the reviewer settings for an access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 108: Access Request Policy: Reviewer tab properties
Property Description

Review Not Required

This check box is selected by default, indicating that no review is required for completed access requests for accounts and assets governed by this policy.

Review Required

Select this check box to require a review of completed access requests for accounts and assets governed by this policy.

  • Qty: Enter or select the minimum number of people required to review a completed access request.
  • Reviewers: Browse to select one or more users or groups of users who can review access requests for accounts and assets governed by this policy.

    Use the Clear icon to remove an individual reviewer user or user group from this list or right-click and select Remove All to clear all users from the list.

A reviewer can only review an access request once it is completed.

The users you authorize as reviewers receive alerts when an access request requires their review if they have Safeguard for Privileged Passwords configured to send alerts.

TIP: As a best practice, add user groups as reviews rather than individuals. This makes it possible to add an individual reviewer to a pending access request. In addition, you can modify a reviewers list without editing the policy.

Require Comment

Select this check box if the reviewer is required to enter a comment when reviewing an access request.

Pending reviews do not block access

Select this check box when you want to allow new access requests whether a prior request is approved or not approved. In other words, no requests will be blocked based on the approval status of a prior request.

Notify if reviewers have pending reviews after

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before reminding the escalation notification contact list about pending reviews.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user.

    If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

You can enter email addresses for non-Safeguard for Privileged Passwords users.

To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

Access Config tab

Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 109: Access Request Policy: Access Config tab properties

Property

Description

Access Type

This is a read-only field displaying the type of access selected on the General tab which may be a:

Credential access type:

  • Password Release
  • SSH Key

Session access type:

  • RDP (Remote Desktop Protocol)
  • SSH (Secure SHell)
  • Telnet

Include password release with sessions requests

If Access Type is RDP, SSH, or Telnet, select this check box to include a password release with session access requests.

Include SSH Key release with sessions requests

If Access Type is RDP, SSH, or Telnet, select this check box to include an SSH Key release with session access requests.

Close expired sessions

If Access Type is RDP, SSH, or Telnet, select this check box to close sessions that have expired.

Change password after check-in

Select this check box if the password is to be changed after the user checks it back in. This check box is selected by default.

Change SSH key after check-in

Select this check box if the SSH key is to be changed after the user checks it back in. This check box is selected by default.

Passphrase Protect SSH Key

If Access Type is SSH Key, select this check box to require a passphrase for the SSH key.

Allow simultaneous access

Select this check box to allow multiple users access to the accounts and assets governed by this policy. Use the next check box to identify how many users can have access at once.

Maximum users at one time

When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time.

Asset-Based Session Access

If Access Type is RDP, SSH, or Telnet, select one of the following options to define the type of account credentials to be used to access any of the assets defined in the policy scope, in addition to the accounts defined in the policy scope when a session is requested:

  • None (default): The credentials are retrieved from the vault when the session is requested.
  • User Supplied: The requester user must provide the credentials when the session is requested.
  • Linked Account: The requester user's account is linked to a directory account that will be used when the session is requested.
    • Enable scope filtering for linked accounts: When selected, this setting allows you to limit the number of requestable accounts to linked accounts that are also defined in the policy scope.

      NOTE: If the policy scope includes only assets/asset groups and no accounts, then the scope filtering setting has no effect, and the policy is available to all of the linked directory accounts on each scoped policy asset.

  • Directory Account: Use the Browse button to select one or more directory accounts to be used when the session is requested.

    If the Directory Account was migrated from an SPP version prior to 2.7, the directory account identifier may be blank, because earlier SPP versions understood only one assignment and version 2.7 results in multiple assignments.

Allow password access to linked accounts

If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user’s linked account is governed by the other configurations defined in this policy. For more information, see Linked Accounts tab (user).

Additionally, Enable scope filtering for linked accounts can be selected in order to limit the number of requestable accounts to linked accounts that are also defined in the scope.

Session Settings tab

You select the one cluster or appliance to which the policy applies.

  1. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy), then the Session Settings tab.
  2. If you see a message like No SPS connection policies found., you may have selected a policy with an invalid connection policy. For more information, see Access Request Policies tab.
  3. In SPS Connection Policy, select the cluster or appliance to which the policy applies.
    • The default is safeguard_default.
    • If you are using telnet with SPS, the telnet Connection Policy created in SPS is available.
    • For other policies, the host name and IP address of the cluster master is displayed first followed by the SPS cluster description.
    • Select Sps Initiate if the access policy is for use by Safeguard for Privileged Sessions (SPS) to create an SPS initiated Access Request.
      • If an SPS_Initiated connection policy is selected when creating an access request, the assets associated by that request will not display. The session-related access policy assigned to SPS_Initiated is filtered out. A connection policy other that SPS_Initiated must be selected to create an Access Request for the asset.
      • For information on the SPS feature availability and use, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
      • To set the Session Module Password Access Enabled toggle, navigate to Settings | Access Request | Enable or Disable Services, Sessions Module.

    You can view the network segments that can be serviced by specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) Appliances within a clustered environment. For more information, see Managed Networks.

    Errors and warnings

    If a policy is not functional, you will see the Warning icon next to a selection. If SPP has not been linked or the link has been deleted, you will see a message like the following: No SPS connection policies found.

Time Restrictions tab

Use the Time Restrictions tab to specify time restrictions for the access request policy.

Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).

Table 110: Access Request Policy: Time Restriction tab properties
Property Description
Use Time Window

Select this option to specify time window for access requests for accounts and assets governed by this policy.

Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see Time Restrictions tab.

Daily calendar

Select and drag the days and hours you want to allow the policy to be effective.

Reset

Click Reset to remove any time restrictions set in the daily calendar.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating