Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Privileged access requests

Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.

In order for a request to progress through the workflow process, authorized users perform assigned tasks. These tasks are performed from the user's Home page.

As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, an Administrator can set up alerts to be sent to users when there are pending tasks needing attention. For more information, see Configuring alerts.

The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:

  • Requesters see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).

    Requesters can also define favorite requests, which then appear on their Home page for subsequent use.

  • Approvers see tasks related to approving (or denying) and revoking access requests.
  • Reviewers see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.

The following three workflows are available:

Configuring alerts

All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.

  • Access Request Approved
  • Access Request Denied
  • Access Request Expired
  • Access Request Pending Approval
  • Access Request Revoked
  • Password was Changed
  • SSH key was Changed
  • Review Needed

Email notifications

You must configure Safeguard for Privileged Passwords properly for users to receive email notifications:

  • For Local users, you must set your email address correctly in My Settings. For more information, seeMy Settings.
  • For Directory users, set your email correctly in the directory where your user resides.
  • The Security Policy Administrator must configure the access request policies to notify people of pending access workflow events (that is, pending approvals and pending reviews). For more information, see Creating an access request policy.
  • The Appliance Administrator must configure the SMTP server. For more information, see Enabling email notifications.
Role-based email notifications generated by default

Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.

Table 14: Email notifications based on administrative permissions
Administrative permission Event/Warning

Appliance Administrator

Operations Administrator

Appliance Healthy

Appliance Restarted

Appliance Sick

Appliance Task Failed

Archive Task Failed

Cluster Failover Started

Cluster Replica Enrollment Completed

Cluster Replica Removal Started

Cluster Reset Started

Disk Usage Warning

Factory Reset Appliance

License Expired

License Expiring Soon

NTP Error Detected

Operational Mode Appliance

Raid Error Detected

Reboot Appliance

Shutdown Appliance

Partition Owner (if none, sent to the Asset Administrator)

NOTE: If Asset Administrators want to be notified along with the Partition Owners, they can set themselves up as an explicit owners or create an email subscription for the event.

The API /service/core/v3/EventSubscribers endpoint can be used to create event subscribers for events, including events on specific assets or accounts.

Account Discovery Failed

Dependent Asset Update Failed

Password Change Failed

Password Check Failed

Password Check Mismatch

Password Reset Needed

Restore Account Failed

Service Discovery Failed

SSH Check Mismatch

SSH Host Key Mismatch

SSH Key Change Failed

SSH Key Check Failed

SSH Key Discovery Failed

SSH Key Install Failed

SSH Key Reset Needed

SSH Key Was Reset

Suspend Account Failed

Test Connection Failed

Security Policy Administrator

Policy Expiration Warning

Policy Expired

Entitlement Expiration Warning

Entitlement Expired

NOTE: Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications:

POST /service/core/v3/Me/Subscribers/{id}/Disable

In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API:

POST /service/core/v3/EventSubscribers

Password release request workflow

Safeguard for Privileged Passwords provides secure control of managed accounts by storing account passwords until they are needed, and releases them only to authorized persons. Then, Safeguard for Privileged Passwords automatically updates the account passwords based on configurable parameters.

Typically, a password release request follows this workflow.

  1. Request: Users that are designated as an authorized user of an entitlement can request passwords for any account in the scope of that entitlement's policies.
  2. Approve: Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.
  3. Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating