Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Using the web client

The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well. The web client uses a responsive user interface design to adapt to the user's device, from desktops to tablets or mobile phones. Only one user session will persist during a browser session. Any tabs opened after initial authentication will use the existing user session.

NOTE: In this documentation, you will see the following icons which denote the interface:

(web client)

(desktop client)

To log into the web client application

The following steps assume the One Identity Safeguard for Privileged Passwords Appliance has been configured and licensed. As a Safeguard for Privileged Passwords user, if you get an appliance is unlicensed notification, contact your Appliance Administrator.

  1. From your browser, enter the Safeguard for Privileged Passwords URL with the IP address, such as https://11.1.111.11.
  2. If an login notification displays, click OK to accept the notifications and restrictions stated.
  3. On the user log in screen, enter your credentials and click Log in.

Updating your avatar photo

To change your photo in the web client, click the avatar Change your photo in the upper right. Select the image file, then click Open. You can right-click the photo to save or perform other photo options.

Using the left navigation menu

The pages available to you display on the left. You will see Home and, based on your role, you may also see My Requests, Personal Password Vault, Approvals, Reviews, Settings, or a combination of those. You can customize the information you see on each of the pages. For more information, see Application Settings and desktop client download (web client).

You can reduce the left menu. In the upper left of the page, click to collapse or expand the menu.

Home

Click Home to go to the home page. The Home page is tailored to your user rights and permissions. If you are authorized by an entitlement to request, approve, or review access requests, then your Home page gives you a quick view to the access request tasks that need your immediate attention.

Click Home to go to the home page. Based on your role, the dashboard displays My Requests, Approvals, and Reviews, the number of tasks in each queue, and the status of each task (for example, Available, Denied, Revoked, Pending) as well as whether the task is Due Today.

In addition to tasks based on your role, you can perform the following from the Home page:

Typically:

  • Delete: The record is deleted from the database
  • Remove: The selected item is removed from the grid but not deleted from the database
Requester's Home page view

Click the New Request tile to open the New Access Request dialog, which lists the assets and accounts you are authorized to access. From this dialog you specify the assets, accounts and the type of access you are requesting, and additional details about the request.

For more information, see:

Click Requests to view the requests awaiting action.

For more information, see:

The Favorites pane (right pane) displays a list of requests you have marked as a favorite, providing a quick way to request access. For more information, see Desktop client favorite request.

Approver's Home page view

Your job is to approve or deny the access requests listed on your Home page. Click Approvals to view the requests awaiting your approval. As an approver, unless you are also designated as a requester, you will see no favorites listed.

For more information, refer to these topics:

Reviewer's Home page view

Your job is to review completed access requests listed on your Home page. Click Reviews to view the completed requests requiring your review. As a reviewer, unless you are also designated as a requester, you will see no favorites listed.

For more information, refer to these topics:

My Requests (web client)

If you are a requester, click My Requests to make a request or see information about requests.

If Show Account Availability is enabled you can identify if an privileged account is available or not. Accounts display a warning badge if in use. Hover over the badge to display <X> of <X> accounts in use. Select an available account. Showing account availability requires additional API queries that may impact performance. This toggle is set by the user not an administrator. There is no global toggle. For more information, see Application Settings and desktop client download (web client).

To make a request

You must be an authorized user of an entitlement to create a request for the assets and accounts you need.

  1. Click My Requests to go to the My Requests page.
  2. Follow the workflow steps. For more information, see Requesting a password release.

To create a favorite

You can create favorites for requests you make often. For more information, see Favorites (web client).

To view and manage requests

On the My Requests page, you can view the requests. Control the display using the following approaches:

  • Click Sort By then select to sort by Account Name, Asset Name, Due Next, Expiring Next, Most Recent, or Status.
  • Click sort up or sort down to sort in ascending or descending order.
  • Click Filters to filter by the status.
    • All: Requests in all states.
    • Available: Approved requests that are ready to view or copy.
    • Pending Approval: Requests that are waiting for approval.
    • Approved: Requests that have been approved, but the check out time has not arrived. Or, for pending accounts restored when using the Safeguard for Privileged Passwords suspend feature.
    • Revoked: Approved requests retracted by the approver. The approver can revoke a request after the request has become available.
    • Expired: Requests for which the Checkout Duration has elapsed.
    • Denied: Requests denied by the approver.
  • Click Search to see a list of search-able elements. Or enter search characters. For more information, see Search box.

 

Personal password vault (web client)

The personal password vault extends security and credential protection to business users to store and manage passwords. Users must have the Personal Passwords permission granted.

User benefits include:

  • Users can store up to 100 personal passwords, set optional expiration dates, and share passwords.
  • Users know at a glance the last time they changed their password.
  • Users have a history of personal password changes. This is handy if the user changes the password in the vault but not on the target account or if the user needs to work from a backup.
  • A password can be shared by the user with one other user. For example, when a user is not available they can give a coworker access to a password. Access can be revoked or the user that has the password shared can opt out of the share.

With the personal password vault, business user passwords are under the control of the IT and security teams, versus a variety of methods of storing passwords. Benefits of the personal password vault for Security Policy Administrators and User Administrators include:

  • An organization sanctioned and controlled tool is used for users to store personal passwords.
  • Personal passwords are secured and encrypted. They are stored separately from managed account passwords.
  • The personal password vault audits the retrieval and change of passwords so administrators know when users pulled information from the vault.
  • Administrators can recover passwords when someone leaves the company. The administrator must change the authentication provider to local, set the password of the user, and then log in and view the personal password vault.
  • There is no way to recover the personal password vault of a deleted user.

System users (like the bootstrap admin) cannot create personal accounts.

IMPORTANT: The Personal Password Vault permission, like any other permission, can be set explicitly on a user or inherited from a Directory Group. If a user with the Personal Password Vault permission stores one or more personal passwords and then later has the permission revoked, either explicitly or by having been removed from all Directory Groups from which they inherited it, the user will no longer be able to access access Personal Password Vault features. But the user’s data within the vault is still be maintained. If at any point the user is granted the Personal Password Vault permission again, they regain access to all of their existing data.
For more information, see Permissions tab (add user).

The Personal Password Vault page toolbar functions follow.

Table 14: Personal Password Vault: Toolbar
Option Description
New Entry

Add an entry to the to the personal password vault.

- Remove Entry

Remove one or more selected entries from the personal password vault. Once an entry is removed, you will not have access to the credentials.

Edit Entry

Modify the selected entry.

Information

View information about the selected entry including:

  • General tab:

    Name: A meaningful name assigned to the application or account to access.

    Account Name: The user name for log on authentication. Click Copy Account Name to copy the name to your clipboard.

    Password: The secret which you can Show or Hide as well as copy by clicking Copy Password.

    Expires: The date the password is no longer valid.

  • Notes tab: Information for the user and anyone sharing the password, such as secondary secrets or other instructions.
  • Sharing tab: The user name of the person your password is Shared With and the date the Sharing Expires. To change the Sharing Expires date, click Edit, change the date and then click Save.
Share Credentials Select one or more entries then select the user you want to share credentials with and the date to stop sharing. Users must have this feature enabled to be listed. For more information, see Permissions tab (add user).
Stop Sharing

Select one or more entries then click Stop Sharing.

If a password is shared by another owner with you, you cannot remove the share but you can opt yourself out of the share.

History

Thirty days of password history display as a default. You can set a date range for displaying password history by selecting From and To values using the calendar. Or, you can click Date Range to select set time periods for hours, days, months, or All History.

In addition to viewing the Date Changed, you can can Show or Hide the password or Copy Password.

Copy Account Name

Copy the account name of the selected entry.

Copy Password

Copy the password of the selected entry.

Open URL

Click to open the URL web address entered when the password was added or edited.

Columns

Click to select the columns you want to display.

Search

Click to see a list of search-able elements. Or enter search characters. For more information, see Search box.

Entry details for various applications and systems display in the grid.

Table 15: Personal Password Vault: Passwords grid
Name A meaningful name given to the application or account to access, for example Company Twitter
Account Name The user name used for log on authentication
Expires

The date the password expires or blank (no value) if the password does not have an expiration date

Shared

Display all the following values or click the filter to select a few values to display:

  • Not Shared if the password is not shared with another user
  • Shared if you are sharing the password with another user
  • Shared with Me if another user is sharing their password with you
Shared With

The user name (and domain name, if applicable) with whom the password is shared; blank if the password is not shared

You can hover over the user name to see the email address for verification.

Owner The owner of the password
Sharing Expires The date sharing expires and the password will no longer be available to the Shared With user

To add a password

  1. On the Personal Password Vault page, click New Entry.
  2. Enter the following values.
    1. Name: Enter a meaningful name for the application or account to access, for example Company Twitter.
    2. Account Name: Enter the user name you use to log on for authentication.
    3. Password:You can type in a password or automatically generate a password.
      Adding a password is optional. For example, you may want to store information about an application or system in the Notes and not store the actual password. The Notes limit is 2000 characters.
      • If you type in the password, you can click Show or Hide to view the entry or not. You can also click Copy Password to copy the password to your clipboard.
      • To automatically generate a password, click Generate a password. The password is automatically generated. You can change password rules:
        1. Length: Use the slider or enter a value to reset the required length.
        2. Numbers: Toggle the requirement to use numbers in the password on or off. The password is regenerated per the setting.
        3. Symbols: Toggle the requirement to use symbols in the password on or off. The password is regenerated per the setting.
        4. Click Regenerate to generate a new password.
        5. Click OK to save the generated password.
        6. Back on the New Entry panel, you can click Copy Password to copy the password to your clipboard.
    4. Expires: It is recommended that you set an expiration date to protect your access. You can enter the date as MM/DD/YYYY or click the calendar to select a date.
    5. URL: Enter the web address of the application or system, for example, Amazon.com. Click Open URL to test the link. You can also Copy the URL.
    6. Notes: Enter any free form notes that are helpful for you or for the person with whom you may share the password. You can also use Notes for information about an application or system, such as certifications or keys. The limit is 2000 characters.
  3. Click Save.

To sharing your password with another user

  1. On the Personal Password Vault page in the grid, select one or more entries to share.
  2. Click Share Credentials.
  3. On the Share Credentials dialog, click Browse.
  4. On the Share With... dialog, users with Personal Passwords permissions are available including their Display Name, Domain, and Email Address. Administrators can add permissions. For more information, see Permissions tab (add user).

    Select one user. To search for a user, enter a value in the Search text box or click the icon then make a selection to search by Domain, Display Name, or Email Address. Enter the first letters of the value to display the matches and select the user.
    Click OK.

  5. Set the sharing end date which must be between one day and one year. In Stop Sharing, enter the date as MM/DD/YYYY, click the calendar and select the date, or click Sharing Expires to select a week or month interval. The password will not be available to the user on that date.
  6. Click Share.
  • One easy way to change the Sharing Expires date later is to select the entry and click Information. On the Sharing tab, click Edit, change the Sharing Expires date, then click Save.

    To stop share your password with another user

    1. On the Personal Password Vault grid, the Shared column displays Shared if you are sharing the password.
    2. Select one or more check boxes of entries to stop sharing.
    3. Click Stop Sharing. The Stop Sharing dialog displays as a warning.
    4. Click Stop Sharing.
  • Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating