Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Auditor permissions

The Auditor administrator has read-only access to all features, and has the ability to review all access request activity:

  • Monitor appliance information
  • Review everything
  • Export object history
  • Run entitlement reports

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

Table 219: Auditor administrator: Permissions
Navigation Permissions

Dashboard

(View only) Access request and account automation

Activity Center

View and export activity events

Audit access request workflow

Reports

View and export entitlement reports

Administrative Tools | Toolbox

(View only) Access to all Administrative Tools views and the Tasks pane

Administrative Tools | Accounts

View only

Administrative Tools | Account Groups

View only

Administrative Tools | Assets

View only

Administrative Tools | Asset Groups View only

Administrative Tools | Discovery

View only

Administrative Tools | Entitlements

View only

Administrative Tools | Partitions

View only

Administrative Tools | Settings:

 

  • Access Request
View only
  • Appliance

View only

  • Asset Management

View only

  • Backup and Retention
View only
  • Certificates
View only
  • Cluster
View only
  • External Integration
View only
  • Messaging

Login notification: View only.

Set message of the day.

  • Password Management

View only

  • Safeguard Access
View only
  • SSH Key Management

View only

Administrative Tools | Users

View only

Administrative Tools | User Groups

View only

Authorizer Administrator permissions

The Authorizer Administrator is the permissions administrator and performs the following:

  • Creates (or imports) Safeguard for Privileged Passwords users.
  • Grants administrator permissions to users.
  • Sets passwords, unlocks, and enables or disables both local and directory user accounts.
  • Creates and maintains the Local Password Rule.

The Authorizer Administrator also has User Administrator and Help Desk Administrator permissions.

Important: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.

Table 220: Authorizer Administrator: Permissions
Navigation Permissions

Activity Center

View and export user activity events, including authentication events

Administrative Tools | Toolbox

Access to the Users and User Groups view

Access to Tasks pane

Administrative Tools | Settings

 
  • External Integration | Identity and Authentication

Add, update, and delete directories used for identity and authentication.

External Federation and Radius providers can be configured for authentication use.

  • Messaging

Login notification (view only)

Set message of the day

  • Safeguard Access

Perform access activities including:

  • (View only) Login control configuration for user login settings
  • Password rules configuration including complexity rules
  • (View only) Time zone

Administrative Tools | Users

Perform user actions including:

  • Add, modify, delete, or import local and directory users
  • Set administrator permissions

  • Set passwords and unlock users

  • Enable or disable users

Administration Tools | User Groups

Add or delete directory groups, if a directory has

been added

Help Desk Administrator permissions

A Help Desk Administrator:

  • Sets passwords for non-administrative user accounts.
  • Unlocks accounts for all user accounts.

NOTE:  Help Desk Administrators can only view the user object history for their own account.

Table 221: Help Desk Administrator: Permissions
Navigation Permissions
Activity Center View and export user activity events

Administrative Tools | Toolbox

Access to the Users view and the Tasks pane
Administrative Tools | Settings:  
  • Messaging

(View only) Login notification

Set message of the day

  • Safeguard Access

View only: Login control, password rules, and time zone

Administrative Tools | Users

Set passwords and unlock accounts for non-administrator users

A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password.

Operations Administrator permissions

The Operations Administrator monitors the status of the appliance and can reboot the appliance.

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.

Table 222: Operations Administrator: Permissions
Navigation Permissions

Activity Center

View and export appliance activity events

Administrative Tools | Toolbox Access to the Tasks pane

Administrative Tools | Settings | Access Request

(View only) Enable or disable configurations for:

  • Access requests
  • Password and SSH key management services
  • Discovery of objects
  • Directory sync
  • Session module password access

Administrative Tools | Settings | Appliance

Appliance actions including:

  • Appliance information and control:
    • The status of the appliance, performance, and memory
    • Shut down or restart the appliance
  • (View only) Enable or disable services including the Application to Application functionality and the Audit Log Stream Service
  • (View only) Licensing to add or update the Safeguard for Privileged Passwords license
  • Enable or disable Lights Out Management (BMC)
  • Network diagnostics to rune diagnostic tests on your appliance
  • (View only) Networking to view and configure the network interface and, if applicable, the sessions network interface
  • (View only) Operating system licensing for the virtual appliance
  • (View only) Time to enable Network Time Protocol and set the primary and secondary NTP server

Administrative Tools | Settings | Backup and Retention

View only, except an Operations Administrator can take a backup. As mentioned earlier, it may appear the Operations Admin can edit data, but the operation cannot be saved.

  • Archive server
  • Audit log management
  • Backup and restore (can take a backup)
  • Backup retention

Administrative Tools | Settings | Certificates

View only:

  • Audit log signing certificate
  • Certificate signing request
  • SSL certificates
  • Trusted certificates

Administrative Tools | Settings | Cluster

View only:

  • Cluster management and health monitoring
  • Managed networks definition for load distribution
  • Offline workflow to trigger if an appliance has lost consensus to resume offline workflow
  • Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable

Administrative Tools | Settings | External Integration

View only:

  • Application to Application (A2A) configuration for application registrations
  • Approval Anywhere service for access request approvals.
  • Email to send event notifications
  • Identity providers and authentication providers to use when logging in; can view the grid but not details
  • SNMP configuration to send SNMP traps to the SNMP console
  • Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA) and Starling Identity Analytics & Risk Intelligence.
  • Syslog server configuration to send event notifications
  • Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system

Administrative Tools | Settings | Messaging

Perform messaging activities including:

  • (View only) Login notification configuration
  • Message of the day creation

Safeguard Access

View only:

  • Login control configuration for user login settings
  • Password rules configuration including complexity rules
  • Time zone to set the time zone
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating