Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.13.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Adding an account to an asset

Use the Accounts tab on the Assets view to add an account to an asset.

You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset.

You can add an account to an asset or add a directory account to a directory asset. Steps for both follow.

Directory assets

If you add directory user accounts to a directory asset, Safeguard for Privileged Passwords will automatically change the user passwords according to the profile schedule you set, which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.

For Active Directory, the standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

Adding account dependencies

One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.

You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset.

Configuring account dependencies on an asset

  1. Directory accounts:
    1. You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account.
    2. From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account.
  2. Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account if the asset is a Windows Server platform. The service account can be a domain or local account if the asset is a Windows Server platform. If the asset is a Windows SSH platform, then the service account must be a domain account in order to update dependent accounts.

    IMPORTANT: For Windows SSH assets, a local account does not have the access necessary to discover services running as domain accounts. So if a local account is used, Safeguard for Privileged Passwords will only discover services running as local accounts, and domain account dependencies will not be updated.

    Follow these steps:

    1. Navigate to:
      • desktop client: Administrative Tools | Assets.
      • web client: Asset Management | Assets.
    2. Select the asset (such as a Windows server) from the object list and open the Account Dependencies tab.
    3. Click Add Account/New Account from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.
  3. ( desktop client only) Discovery: To update the asset, you must configure the Account Discovery job for the dependent asset. Navigate to Administrative Tools | Discovery | Account Discovery and select these check boxes:

    • Discover Services
    • Automatically Configure Dependent System.

    For more information, see Adding an Account Discovery job.

  4. Profiles:

    1. The target directory account must be in the same profile as the dependent asset.
    2. You must configure the dependent asset's profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a password profile.

Adding users or user groups to an asset

When you add users to an asset, you are specifying the users or user groups that have ownership of an asset.

It is the responsibility of the Asset Administrator (or delegated partition owner) to add users or user groups to assets. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions.

Adding an asset to asset groups

In the desktop client, use the Asset Groups tab on the Assets view to add an asset to one or more asset groups.

Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms. This section lists SPP and SPS support by platform.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating