Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.9 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Location tab (add user)

On the Location tab, specify the user's time zone.

User can change their time zone, by default. Or, the User Administrator can prohibit a user from changing the time zone, possibly to ensure adherence to policy. For more information, see Time Zone.

Table 219: User: Location tab properties
Property Description
Time Zone

Select the user's time zone.

Because Microsoft Active Directory does not have a Time Zone attribute, when you add a directory group, the default time zone is set for all imported accounts to (UTC) Coordinated Universal Time. To reset the time zone, open each imported account in Users and modify the Time Zone on this Location tab.

Permissions tab (add user)

On the Permissions tab, select the user's Administrator permissions, if applicable. For details on the rights for the permissions, see Administrator permissions.

Users permissions across multiple user groups

Users have permissions based on the user groups to which they are assigned. If a user is removed from a user group, the permissions related to that group are removed but the permissions for all other groups the user is assigned to remain in place.

User permissions on import

When a directory user group is imported, newly created Safeguard users are assigned the selected permissions. If the user exists in Safeguard, the selected permissions are added to the existing user permissions.For more information, see Adding a directory user group.

To assign permissions

When assigning permissions to a user, select the appropriate access controls. You can Select all or Select none at the bottom of the dialog.

  • Authorizer: Allow the user to grant permissions to other users. This permission allows the user to change their own permissions.

  • User: Allow the user to create new users, unlock and reset passwords for non-administrative users.
  • Help Desk: Allow the user to unlock and set passwords for non-administrative users.
  • Appliance: Allow the user to edit and update the appliance and to configure external integration settings, such as email, SNMP, Syslog, Ticketing, and Approval Anywhere.
  • Operations: Allow the user to reboot and monitor the appliance.
  • Auditor: Allow the user read-only access.
  • Asset: Allow the user to add, edit, and delete partitions, assets, and accounts.
  • Security Policy: Allow the user to add, edit, and delete entitlements and polices that control access to accounts and assets.
  • Personal Passwords: Allow the user to add, edit, delete, share, and access the personal password vault. This check box is only available to the User Administrator and Security Policy Administrator. For more information, see Personal password vault (web client).

Requiring secondary authentication log in

You can require a user to log in using two-factor authentication by enabling the Require Secondary Authentication option in the user record.

To require a user to log in using secondary authentication

  1. Setup a secondary authentication provider in Settings | External Integration | Identity and Authentication. For more information, see Adding identity and authentication providers. Or, you may use Starling 2FA. For more information, see Starling.

  2. Configure the Safeguard for Privileged Passwords user to Require Secondary Authentication. For more information, see Authentication tab (add user).
    1. On the Authentication tab of a user's properties, select the Require Secondary Authentication check box.
    2. Choose the Authentication Provider.
    3. Depending on the type of authentication provider selected, specify the additional information this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication.

  3. Log in with secondary authentication.

    When you log in to Safeguard for Privileged Passwords as a user which requires secondary authentication, you log in as usual, using the password that is set for the Safeguard for Privileged Passwords user account. Safeguard for Privileged Passwords then displays one or more additional login screens. Depending on how the system administrator has configured the secondary authentication provider, you must enter additional credentials for your secondary authentication service provider account, such as a secure password, security token code, or both.

    NOTE: The type and configuration of the secondary authentication provider (for example, RSA SecureID, FIDO2, One Identity Starling Two-Factor Authentication, and so on) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log in to Safeguard for Privileged Passwords with secondary authentication.

For more information, see To manage your FIDO2 keys.

Configuring user for Starling Two-Factor Authentication when logging in to Safeguard

It is the responsibility of the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging in to Safeguard for Privileged Passwords.

TIP: If you want to use one-touch approvals, download and install the Starling 2FA app onto your mobile device.

To configure users to use Starling Two-Factor Authentication when logging in to Safeguard for Privileged Passwords

  1. Log in to Safeguard for Privileged Passwords as an Authorizer Administrator or User Administrator.
  2. Navigate to Administrative Tools | Users.
  3. Add or edit users, ensuring the following settings are configured:
    1. Authentication tab:
      • Require Secondary Authentication: Select this check box.
      • Authentication Provider: Select the Starling 2FA service provider.

        NOTE: If the Starling 2FA service provider is not listed, you must first join Safeguard for Privileged Passwords to Starling. For more information, see Starling.

      • Use alternate mobile phone number: Optionally, select this check box and enter an alternate mobile number to be used for two-factor authentication notifications.

        NOTE: If you want to use one-touch approvals, this feature requires a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.

    2. Contact Information tab:
      • Mobile Phone: Enter a valid mobile phone number in E.164 format.
      • Email Address: Enter a valid email address.

Now whenever any of these users attempt to log in to Safeguard for Privileged Passwords, after entering their password, a message appears on the login screen informing them that an additional authentication step is required.

NOTE: If the Safeguard for Privileged Passwords user is required to use Starling Two-Factor Authentication and has the Starling 2FA mobile app installed, Safeguard for Privileged Passwords sends a push notification to their mobile device where they can complete the login by pressing a button in the app. If the user does not have the Starling 2FA app, they have the option to receive a one-time password via SMS or a phone call.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating