Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.9 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Asset Administrator permissions

An Asset Administrator manages all partitions, assets, and accounts:

  • Creates (or imports) assets and accounts.
  • Creates partitions and profiles.
  • Delegates partition ownership to users. A delegated partition owner has a subset of permissions that an Asset Administrator has. That is, the delegated partition owner is authorized to manage a specific partition and the assets and accounts assigned to that partition.

  • Assigns assets to partitions.
  • Manages account password rules.

  • Manages ownership for assets, accounts, and partitions.

NOTE: Asset Administrators can only view the user object history for their own account.

Table 229: Asset Administrator: Permissions
Navigation Permissions

Dashboard | Account Automation

Full control for accounts related to all Safeguard for Privileged Passwords assets.

NOTE: Delegated partition owners have control for accounts related to the assets managed through delegated profile.

Activity Center

View and export asset activity events.

Administrative Tools | Toolbox

The Toolbox provides:

  • Access to the Accounts, Assets, Partitions and Users view.
  • Access to the Tasks pane.

Administrative Tools | Accounts

Perform account activities including:

  • Add, modify, delete, and import accounts, including cloud platform accounts.
  • Add a tag to an account.
  • Add an account to an account group.
  • Check, change, and set account passwords and SSH keys.
  • View password and SSH key archive.

Administrative Tools | Assets

Perform account activities including:

  • Add, modify, delete, and import assets.
  • Check asset connectivity.
  • Assign an asset to a partition.
  • Assign a profile to an asset.
  • Add a tag to an asset.
  • Add an account to an asset.
  • Add account dependencies.
  • Add an asset to an asset group.
  • Download a public SSH key.

Administrative Tools | Discovery

Create and run discovery jobs to find assets, accounts, services, and SSH keys in your network environment.

Administrative Tools | Partitions

Perform partition activities including:

  • Add, modify, and delete partitions and password and SSH key profiles.
  • Add assets or accounts to the profiles.
  • Set a default profile.
  • Add and remove partition assets.

Administrative Tools | Settings | Asset Management

Perform asset management actions including:

  • Custom platform creation and deployment that includes uploading the custom platform script.
  • Tag creation to manage dynamic tags for assets and asset accounts.

Administrative Tools | Settings | Messaging

Perform messaging actions including:

  • Login notification (view only).
  • Message of the day creation.

Administrative Tools | Settings | Password Management

Perform password management actions including:

  • Account password complexity rule control (add, modify, delete).
  • Change password settings control (add, modify, delete).
  • Check password settings control (add, modify, delete).
  • Password sync groups settings control (add, modify, delete).
Administrative Tools | Settings | SSH Key Management

Perform SSH key management actions including:

  • Change SSH key settings control (add, modify, delete).
  • Check SSH key settings control (add, modify, delete).
  • Discover SSH keys to find authorized SSH keys in managed accounts.
  • SSH key sync groups settings control (add, modify, delete).

Administrative Tools | Users

Delegate partition ownership to users.

Auditor permissions

The Auditor administrator has read-only access to all features, and has the ability to review all access request activity:

  • Monitor appliance information
  • Review everything
  • Export object history
  • Run entitlement reports

On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.

Table 230: Auditor administrator: Permissions
Navigation Permissions

Dashboard

(View only) Access request and account automation

Activity Center

View and export activity events

Audit access request workflow

Reports

View and export reports

Administrative Tools | Toolbox

(View only) Access to all Administrative Tools views and the Tasks pane

Administrative Tools | Accounts

View only

Administrative Tools | Account Groups

View only

Administrative Tools | Assets

View only

Administrative Tools | Asset Groups View only

Administrative Tools | Discovery

View only

Administrative Tools | Entitlements

View only

Administrative Tools | Partitions

View only

Administrative Tools | Settings:

 
  • Access Request
View only
  • Appliance

View only

  • Asset Management

View only

  • Backup and Retention
View only
  • Certificates
View only
  • Cluster
View only
  • External Integration
View only
  • Messaging

Login notification: View only.

Set message of the day.

  • Password Management

View only

  • Safeguard Access
View only
  • SSH Key Management

View only

Administrative Tools | Users

View only

Administrative Tools | User Groups

View only

Authorizer Administrator permissions

The Authorizer Administrator is the permissions administrator and performs the following:

  • Creates (or imports) Safeguard for Privileged Passwords users.
  • Grants administrator permissions to users.
  • Sets passwords, unlocks, and enables or disables both local and directory user accounts.
  • Creates and maintains the Local Password Rule.

The Authorizer Administrator also has User Administrator and Help Desk Administrator permissions.

IMPORTANT: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.

Table 231: Authorizer Administrator: Permissions
Navigation Permissions

Activity Center

View and export user activity events, including authentication events.

Administrative Tools | Toolbox

Access to the Users and User Groups view.

Access to Tasks pane.

Administrative Tools | Settings

 
  • External Integration | Identity and Authentication

Add, update, and delete directories used for identity and authentication.

External Federation and Radius providers can be configured for authentication use.

  • Messaging

Login notification (view only).

Set message of the day.

  • Safeguard Access

Perform access activities including:

  • (View only) Login control configuration for user login settings.
  • Password rules configuration including complexity rules.
  • (View only) Time zone.

Administrative Tools | Users

Perform user actions including:

  • Add, modify, delete, or import local and directory users.
  • Set administrator permissions.

  • Set passwords and unlock users.

  • Enable or disable users.

Administration Tools | User Groups

Add or delete directory groups, if a directory has been added.

Help Desk Administrator permissions

A Help Desk Administrator:

  • Sets passwords for non-administrative user accounts.
  • Unlocks accounts for all user accounts.

NOTE: Help Desk Administrators can only view the user object history for their own account.

Table 232: Help Desk Administrator: Permissions
Navigation Permissions
Activity Center View and export user activity events.

Administrative Tools | Toolbox

Access to the Users view and the Tasks pane.
Administrative Tools | Settings:  
  • Messaging

(View only) Login notification.

Set message of the day.

  • Safeguard Access

View only: Login control, password rules, and time zone.

Administrative Tools | Users

Set passwords and unlock accounts for non-administrator users.

A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating