Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Settings

(web client) Settings

In the web client, click the  Settings menu on the left to go to the Settings page.

The following Settings are available. See each section for a description of the functions available.

(desktop client) Settings

Using the desktop client, the Settings page in the  Administrative Tools is where you configure Safeguard for Privileged Passwords to run backups, install updates, manage clusters, manage certificates, enable event notifications, enable external integration, define profile configuration settings, define user password and SSH key rules, define discovery rules, and run troubleshooting tools.

You must have administrator permissions to access the Settings page and the administrator permissions you have determine what you can do.

Use the Search control at the top of the Settings page to locate a particular setting. For example, if you type password and press the Enter key, a list of all the password settings appears; select an entry from this list to display the selected settings page.

The following Settings are available. See each section for a description of the functions available.

Access Request settings

desktop client only. (The web client includes the Audit Log Stream Service setting but not Sessions; see Enable or Disable Services settings.)

Use the Access Request settings to enable (or disable) services and to define global reason codes that can be used when creating access request policies.

Navigate to Administrative Tools | Settings | Access Request.

Table 118: Access Request settings
Setting Description

Enable or disable access request and services

Toggle on

Toggle off

Where you enable or disable the following Safeguard for Privileged Passwords services:

  • Requests (sessions, password, and SSH key)
  • Password Management
  • SSH Key Management
  • Discovery
  • Directory
  • Sessions Module
Reasons

Where you configure access request reason codes, which can then be used when creating access request policies.

Enable or disable access request and services

desktop client only. (The web client includes the Audit Log Stream Service setting but not Sessions; see Enable or Disable Services settings.)

One Identity Safeguard for Privileged Passwords allows you to enable or disable access request and password and SSH key management services. These settings control session and password or SSH key release requests, manual account password or SSH key validation, and reset tasks, as well as the automatic profile check and change tasks in Partitions. You can also enable to disable discovery tasks, directory sync, and the Sessions Module (Safeguard for Privileged Sessions).

By default, services are disabled for service accounts and for accounts and assets found as part of a discovery job. Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.

It is the responsibility of the Appliance Administrator to manage these settings.

Navigate to Administrative Tools | Settings | Access Request | Enable or Disable Services.

All services are enabled by default, except for the Sessions Module:
toggle on and toggle off

Table 119: Enable or Disable Services settings
Setting Description

Requests

Session Requests Enabled

Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.

Click the Session Requests Enabled toggle to disable this service so sessions can not be requested.

NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.

In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details.

Password Requests Enabled

Password requests are enabled by default, indicating that authorized users can make password release requests

Click the Password Requests Enabled toggle to disable this service so passwords can not be requested.

NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

SSH Key Requests Enabled

SSH key requests are enabled by default, indicating that authorized users can make SSH key release requests

Click the SSH Key Requests Enabled toggle to disable this service so SSH keys can not be requested.

NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

Password Management

Check Password Management Enabled

Check password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.

Click the Check Password Management Enabled toggle to disable the password validation service.

Note: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

Change Password Management Enabled

Change password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.

Click the Change Password Management Enabled toggle to disable the password reset service.

Note: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

SSH Key Management

Check SSH Key Management Enabled

SSH key check is enabled by default, indicating that SSH key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

Change SSH Key Management Enabled

SSH key change is enabled by default, indicating that SSH key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

Discovery

Asset Discovery Enabled

Asset discovery is enabled by default, indicating that available Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. For more information, see Discovery.

Account Discovery Enabled

Account discovery is enabled by default, indicating that available Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. For more information, see Discovery.

Service Discovery Enabled

Service discovery is enabled by default, indicating that available Service Discovery jobs find Windows services that run as accounts managed by Safeguard. For more information, see Discovery.

SSH Key Discovery Enabled

SSH key discovery is enabled by default. With the toggle on, SSH keys in managed accounts are discovered. For more information, see SSH Key Discovery.

Directory

Directory Sync Enabled

Directory sync is enabled by default, indicating that additions or deletions to directory assets are synchronized. You can set the number of minutes for synchronization. For more information, see Management tab (add asset).

Sessions Module

Session Module Password Access Enabled

Session module password access is disabled by default. When the toggle is on, Safeguard for Privileged Passwords (SPP) can create an access request and check out a password from Safeguard for Privileged Sessions (SPS) on behalf of another user. When the toggle is switched off, this ability is revoked. This functionality supports Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. For more information, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.

Reasons

desktop client only

In an access request policy, a Security Policy Administrator can require that a requester provide a reason for requesting access to a password, SSH key, or session. Then, when requesting access, the user can select a predefined reason from a list. For example, you might use these access request reasons:

  • Software Updates
  • System Maintenance
  • Hardware Issues
  • Problem Ticket

To configure access request reasons

  1. Navigate to Administrative Tools | Settings | Access Request | Reasons.
  2. Click Add Reason to add a new reason.
  3. In the Reason dialog, enter the following:
    1. Name: Enter a name for the reason. Limit: 50 characters

    2. Description: Enter a description for the reason. Limit: 255 characters

  4. Click Add Reason.
  5. To edit a reason, click Edit Reason.

    The Reason dialog appears allowing you to modify the name or description.

  6. To delete a reason, click Delete Reason.

    In the confirmation dialog, click Yes.

Related Topics

Creating an access request policy

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating