Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Adding authorized user for Approval Anywhere

Once Safeguard for Privileged Passwords is joined to Starling, use the Approval Anywhere pane to add the Safeguard for Privileged Passwords users that can use the Approval Anywhere feature to approve access requests.

NOTE: If you upgraded from a previous version of Safeguard for Privileged Passwords where you have already configured Approval Anywhere, your existing configure will continue to work. However, you will not be able to manage your Approval Anywhere users until you join Safeguard for Privileged Passwords to Starling. Once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.

TIP: Ensure OneTouch approvals is enabled on the two-factor authentication app on your mobile device.

To add users who are authorized to use Approval Anywhere

  1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
  2. To go to Approval Anywhere:
    • web client: Navigate to  Settings | External Integration | Approval Anywhere. .
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Approval Anywhere.
  3. Click Add.
  4. In the Users dialog, select users from the list and click OK.

    NOTE: Approval Anywhere approvers must have a valid mobile phone number in E.164 format and a valid email address defined. If a user does not display a valid mobile phone number or email address, edit the user record before proceeding. For more information, see Modifying a user.

    E.164 format: +<country code><area code><phone number>

  5. Add these Approval Anywhere users as approvers in the appropriate access request policy. For more information, see Creating an access request policy.

Once a user is added as an Approval Anywhere user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's Starling 2FA mobile app. The approver can either approve or deny the access request directly from the Starling 2FA mobile app.

NOTE: Revoking an access request that has already been approved is not available via the mobile app. You must use the Safeguard for Privileged Passwords desktop or web client to perform that action.

Email

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.

Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.

Before you start

Before configuring the SMTP server, perform the following, as needed.

  • Configure the DNS Server and set up the user's email address correctly.
  • If you are using a transport layer for email authentication, it is recommended you create the certificate signing request (CSR) with SPP using the Add Certificate | Create Certificate Signing Request (CSR) option. For more information, see Creating an audit log Certificate Signing Request.

    CSRs may be installed in the following formats.

    • Install Certificate generated from CSR including:
      • DER Encoded Files (.cer, .crt, or .der)
      • PEM Encoded Files (.pem)
    • Install Certificate with Private Key including:
      • PKCS#12 (.p12 or .pfx)
      • Personal Information Exchange Files (.pfx)

To configure the SMTP Server

  1. Go to SMTP Server:
    • web client: Navigate to  Settings | External Integration | Email.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Email.
  2. To configure the email notifications, enter these global settings for all emails:
    • SMTP Server Address: Enter the IP address or DNS name of the mail server. When unspecified, the email client is disabled.
      When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].
      If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.
    • SMTP Port: A default port is set for SMTP which should be changed, if needed. By default, the SMTP port is 465 or, if you are using SSL/TLS, the default is port 25. The range is 1 to 65535.
    • Select one of the following to add Transport Layer Security.

      • Require STARTTLS: Select this option to connect to an SMTP server that supports the STARTTLS command to elevate the connection from text-based to TLS.
      • Require SMTPS: Select this option to immediately use TLS in its connection to the target SMTP server.
      • None: There is no transport layer security applied to emails.

      If you selected Require STARTTLS or Require SMTPS, you can select one, both, or none of the following: 

      • Verify SSL Certificate: Verify SSL Certificate: If not selected, the remote SMTP server's SSL certificate is not verified.
      • Use Client Certificate: Select this check box to present a Client Certificate during a TLS connection to the remote SMTP server.
    • User Authentication: Select an option if you want to authenticate access to the SMPT server.
      • Account: If selected, click Directory Account or Asset Account then select the account to use for authentication.
      • Password: If selected, enter the Account Name and Account Password to use for authentication.
      • None: If selected, the user will not be authenticated.
    • Send Test Email To (web client) or Sender Email (desktop client): Enter an email address to use as the "From" address for all emails originating from the appliance. This is required if you specify the SMTP Server Address. The limit is 512 characters.

To validate your setup in the web client

Test the email setup. When you test, no emails except for the tests are handled.

  1. In Send Test Email To, enter the email address of where to send the test message.
  2. Enter the Timeout for the test email from delivery start to the email successfully being sent or the return of an error notification. Each IP address is tested and if one fails, the an error is returned for the entire process. The maximum is 255 seconds per IP check. The error logs are maintained for two days. During testing, a valid From address with an invalid To address is not delivered.
  3. Click Send Test Email. The email is sent using the configuration settings. If there is an error or timeout, a message displays in the user interface.
  4. You must check to ensure the email is delivered. If there was no message in the user interface but the email is not delivered, check the support bundle log files in the SMTPSVC1 folder. Two days of logs are maintained. For more information, see Support bundle.

To validate your setup in the desktop client

Test the email setup. When you test, no emails except for the tests are handled.
  1. The Sender Email displays. You can change this.
  2. Select the Test Email Settings link.
  3. In the Test Email dialog, enter the Send To email address of where to send the test message.
  4. Enter the Timeout for the test email from delivery start to the email successfully being sent or the return of an error notification. Each IP address is tested and if one fails, the an error is returned for the entire process. The maximum is 255 seconds per IP check. The error logs are maintained for two days. During testing, a valid From address with an invalid To address is not delivered.
  5. Click Send. The email is sent using the configuration settings. If there is an error or timeout, a message displays in the user interface.
  6. You must check to ensure the email is delivered. If there was no message in the user interface but the email is not delivered, check the support bundle log files in the SMTPSVC1 folder. Two days of logs are maintained. For more information, see Support bundle.

To use email templates

desktop client: The Email Templates grid at the bottom of this pane lists the email templates used to define the content to be included in email notifications.

For more information, see Email Templates.

For more information, see Email Templates.

Enabling email notifications

For users to receive email notifications, there are a few things you must configure properly.

To enable email notifications

  1. Users must set up their email address correctly.
    1. Local users:
      1. The Authorizer Administrator or User Administrator sets this up in the user's Contact Information. For more information, see Adding a user.

        -OR-

      2. Users set this up in their My Account settings. For more information, see User information and log out (desktop client).
    2. Directory users must have their email set in the Active Directory or LDAP domain.
  2. The Appliance Administrator must configure the SMTP server. For more information, see Email.

TIP: You can setup email subscriptions to any email event type through the API: https://<Appliance IP>/service/core/swagger/ui/index#/EventSubscribers. For more information, see Using the API.

Email Templates

Safeguard for Privileged Passwords provides default email templates for most events, such as Cluster Primary Quorum Fails or Access Request Denied. Each event type triggers an email notification that uses the template.

Go to Email Templates:

  • web client: Navigate to  Settings | External Integration | Email Templates.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Email then scroll to the Email Templates section.

Use these toolbar buttons to manage email templates.

Table 161: Email template: Toolbar
Property Description

Reset

Reset the selected template to the default.

Edit

Modify the selected email template.

Refresh

Update the list of email templates.

Search

To locate a specific template, enter the character string to be used to search for a match. For more information, see Search box.

Macro properties

Each event type supports specific macros in the template that are appropriate for that type of event. When editing a template, you can click Insert Event Property to select properties to insert into the text of the Subject line or Body using keywords surrounded by double braces. For example, you may select the following event properties in the Subject of your email:

Access Policy Created {{EventDescription}} {{PolicyId}}

Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview. Additionally, a warning message like the following may displays: Invalid format for BodyTemplate property.

To edit an email template

Modify an email template to change any information except the Event type. If you later want to revert to the original template, you can select the template then click Reset . To modify an email template, use the following steps.

  1. Go to Email Templates:
    • web client: Navigate to  Settings| External Integration | Email Templates.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Email and scroll to the Email Templates section.
  2. In the Email Template grid, select the template to modify and click. Edit.
    1. Event: For more information, see Enabling email notifications.

    2. Subject: Edit the subject line for the email message.

      As you type, click  Insert Event Property Macro to insert predefined text into the subject line. For example, you may create the following subject line:

      Approval is required for {{Requester}}'s request

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces.

      Limit: 1024 characters

    3. Reply to: Enter the email address of the person to reply to concerning this notification.

      Limit: 512 characters

    4. Body: Enter the body of the message.

      As you type, click  Insert Event Property Macro to insert predefined text into the body. For example, you may create the following body for an email template:

      {{Requester}} has requested the password for {{AccountName}} on {{AssetName}}

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces.

      Limit: 16384 characters

    5. Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.
    6. Click OK. The updated template is added to the Email Template grid.
  3. If you want to return to the default, select the email template then click Reset.

To add an email template

desktop client only

You can add individual email templates, for example to provide notification when emergency access is granted

Add an email template if you want to keep the original template and simply create an additional template for the Event.

  1. Navigate to Administrative Tools | Settings | External Integration | Email and scroll to the Email Templates section.

  2. In the Email Template grid, click Add. It doesn't matter what template is selected.
    1. Select the Event. The default may be different than the template selected. An additional template for the event type will be added.

    2. Enter or select a Subject. You can click to add an event property.
    3. Enter a Reply To.
    4. Enter the Body content. You can click to add an event property.
    5. Click Preview Email to see what will be sent.
    6. Click OK. The template is added to the Email Template grid.

  3. If you want to return to the default, select the email template then click Reset.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating