Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us


It is the responsibility of the Appliance Administrator to manage the appliance time.

Time displays the current appliance time and allows you to enable Network Time Protocol (NTP) and set the primary and secondary NTP servers. In addition, when enabled, the NTP client status can be displayed. As a best practice, set an NTP server to eliminate possible time-related issues.

While not recommended, you can also set the appliance time on a primary (not cluster) manually.

CAUTION: Changing appliance time can result in unintended consequences with processes running on the appliance. For example, there could be a disruption of password check and change profiles and audit log time stamps could be misleading. Do not set the system time before or after the validity period of the Safeguard internal certificates because the appliance will not function.

Clustered environments

NTP setting changes are made on the primary appliance in a cluster. When a replica appliance is enrolled into the cluster, it points to the primary appliance's VPN IP address as the Primary NTP Server and the NTP client service is enabled on the replica appliance. When performing a failover operation to promote a replica to be the new primary, the Primary NTP Server is preserved and applied from the 'old' primary appliance.


The following warnings display if your local time is not within five minutes of the appliance time. One Identity recommends that you set an NTP server to eliminate possible time-related issues.

  • Upon log on: Warning: The time associated with Safeguard and your local time are off by 5 or more minutes. Contact the Safeguard administrator to correct this issue before further use.
  • On the Settings > Appliance > Time page: The appliance time and your local time have a difference of 5 or more minutes. It is recommended to set an NTP server.

To enable Network Time Protocol (NTP) and set the primary and secondary NTP servers

  1. Go to Time:
    • web client: Navigate to Appliance > Time.
  2. Select the Enable Network Time Protocol (NTP) check box then provide the following information:

    • Primary NTP Server: Enter the IP address or DNS name of the primary NTP server.

    • Secondary NTP Server: (Optional) Enter the IP address or DNS name of the secondary NTP server.
  3. Click Save to save your selections.

    When NTP is enabled, click Show Details to view the following information about the NTP client status.

    • Last Sync Time
    • Leap Indicator
    • Poll Interval
    • Precision
    • Reference ID
    • Root Delay
    • Root Dispersion
    • Source
    • Stratum
    • Last Sync Error
    • Time Since Last Good Sync

If NTP is set and you need to change the time, go to the API and use Set-SafeguardTime. For information about using the API, see Using the API.

To manually set the appliance time on a primary (not cluster)

To manually set the time on the appliance (primary not cluster), follow the steps below.

CAUTION: Manually setting the time should be done with caution. Time changes can cause critical data loss.

  1. Go to Time:
    • web client: Navigate to Appliance > Time.
  2. Clear the Enable Network Time Protocol (NTP) check box.
  3. Click OK.
  4. Click Edit.
  5. For the most accurate time, complete the following steps quickly.
    1. On the Set System Time dialog, click Use Client Time to use the local time or select the date and time.
    2. Click OK. The Set System Time warning dialog displays indicating that: Extreme time changes in Safeguard may cause critical data loss.
    3. Type Set Time in the dialog box to confirm then click OK.

Time Zone

Safeguard for Privileged Passwords sets a default time zone based on the location of the person performing the set up. The time zone is expressed as UTC + or – hours:minutes and is used for timed access (for example, access from 9 a.m. to 5 p.m.). It is recommended that the Bootstrap Administrator set the desired time zone on set-up. An Authorizer Administrator can also change the time zone.

To configure the time zone

  1. Navigate to User Management > Settings > Time Zone.
  2. The User Administrator can search for and select the desired time zone.
  3. The User Administrator can change Allow users to modify their own time zone.
    • Enable the setting to let users change their time zone (the default).
    • Disable the setting to prohibit a user from changing their time zone, possibly to ensure the user conforms with policy.

Backup and Retention

Use the Backup and Retention settings to manage your Safeguard for Privileged Passwords backups and archive servers.

It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged Passwords backup and retention settings.

Go to Backup and Retention:

  • web client: Navigate to Backup and Retention.
Table 20: Backup and Retention settings
Setting Description
Archive servers Where you add and manage archive servers for storing backup files and session recordings.

Audit Log Maintenance

Where you define the audit logs to be archived and purged as well as a schedule for performing the audit log archival task.

Backup and Restore Where you initiate or schedule a backup, upload or download a backup file, or specify the archive server where a backup file is to be stored.
Backup Retention Where you enable (or disable) backup retention and set the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance.

Authorize VM Compatible Backups

Where you authorize the download of Safeguard for Privileged Passwords hardware appliance backups which can then be uploaded and restored to a Safeguard for Privileged Passwords virtual machine.

About backups

Safeguard for Privileged Passwords backs up the following:

  • All settings, except:

    • Appliance IP address
    • Network Time Protocol (NTP) configurations
    • Domain Name System (DNS) configuration
  • Audit logs
  • All information about Safeguard for Privileged Passwords objects:

    • Accounts
    • Account groups
    • Assets
    • Asset groups
    • Entitlements
    • Partitions
    • Users
    • User groups

Safeguard for Privileged Passwords encrypts and signs the data before it makes it available for downloading to an off-appliance storage. Only a genuine Safeguard for Privileged Passwords Appliance can decrypt the backup after it is uploaded to the appliance. Backups downloaded from virtual appliances can only be uploaded and restored to a virtual appliance. Backups downloaded from hardware appliances can only be uploaded and restored to a hardware appliance. A hardware backup can be downloaded as virtual compatible once the hardware appliance has been authorized for VM Compatible Backups. A VM compatible backup can be uploaded and restored to a virtual appliance.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating