Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.4.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

None

When the asset's Authentication Type on the Connection tab is set to None, Safeguard for Privileged Passwords does not manage any accounts associated with the asset and does not store asset related credentials.

All assets must have a service account in order to check and change the passwords for the accounts associated with the asset.

Select the Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server. For more information, see Adding an archive server.

You can also use the SSH Session port field to specify the access port on the target server to be used for SSH session requests (default is port 22).

Management tab (add asset)

Use the Asset Management > Assets > Management tab to add the partition and profile to which the asset is assigned. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. All assets must be governed by a profile. New assets are automatically governed by the default profile unless otherwise specified.

The settings for an asset are shown below.

Table 109: Asset: Management tab properties
Property Description
Partition

Browse to select a partition for this asset. You can set a specific partition as the default, see Setting a default partition.

Password Profile

Browse to select a password profile to manage this asset's accounts.

You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.

Click Reset to set the profile to the current default.

The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.

SSH Key Profile

Browse to select an SSH key profile to manage this asset's accounts.

You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.

Click Reset to set the profile to the current default.

The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.

Enable Session Request

If applicable, this check box is selected by default, indicating that authorized users can request session access for this asset.

Clear this check box if you do not want to allow session requests for this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions.

Available for discovery across all partitions

Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; select this check box to allow the asset to be discovered across all partitions.

Manage using hashed password

Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; selecting this check box indicates password encryption will be performed by Safeguard when performing a Change Password operation.

Managed Network

The managed network that is assigned for work load balancing. For more information, see Managed Networks.

Attributes tab (edit asset)

NOTE: The Attributes tab only appears after you have successfully added a new asset and is accessed by editing the asset.

In the web client, the Attributes tab is used to add attributes to directory assets (including Active Directory and LDAP). For more information, see Adding identity and authentication providers.

IMPORTANT: Some Active Directory attributes are fixed and cannot be changed.

Table 110: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords Attribute Directory Attribute
User
ObjectClass

Default: user for Active Directory, inetOrgPerson for LDAP

Click Browse to select a class definition that defines the valid attributes for the user object class.

Username

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

Description

description

MemberOf

Blank by default, this attribute can be set to a directory schema attribute that contains the list of directory groups of which the user is a member.

Alternate Login Name

userPrincipalName

NOTE:

By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.

This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v3/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object.

Group
ObjectClass

Default: group for Active Directory, groupOfNames for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Computer  

ObjectClass

Default: computer for Active Directory, ipHost for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

cn

Network Address

dNSHostName for Active Directory, ipHostNumber for LDAP

Operating System

operatingSystem for Active Directory

Operating System Version

operatingSystemVersion for Active Directory

Description

description

Checking an asset's connectivity

After you add an asset you can verify that Safeguard for Privileged Passwords can log in to it using the Test Connection option.

NOTE: When you run Test Connection from the asset's Connection tab (such as when you add the asset initially), you must enter the service account credentials. Once you add the asset to Safeguard for Privileged Passwords it saves these credentials.

The Test Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log in to that asset.

To check an asset's connectivity

  1. Navigate to Asset Management > Assets.

  2. Select an asset.

  3. Click the Test Connection button.

    Safeguard for Privileged Passwords displays a task pane that shows the results.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating