Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.3 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Not integrated with ticketing system

You can use ticketing that is not configured with an external ticketing system to track tickets.

Tickets can be viewed in the Activity Center, Ticket # column.

Security Policy Administrators can require requesters to reference a ticket number in their password, SSH key, or session access request but not have the ticket validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request.

Setting up ticketing

  1.  Go to Ticket Systems:
    • web client: Navigate to External Integration > Ticket Systems.
  2. Click  Add to add a ticket system.
  3. Select Other and complete this information:
  4. Click Validate to validate the Regular Expression entry.

Ticket workflow

  1. The Security Policy Administrator creates an access request policy that requires the requester to provide a ticket number when creating an access request.
  2. When the requester makes a request, they must enter a ticket number on the New Access Request dialog, Request Details tab, Ticket Number field. See:
  3. Safeguard for Privileged Passwords validates the ticket number against the regular expression. If the ticket number is an exact match to the regular expression, the workflow continues.

Trusted Servers, CORS, and Redirects

You can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. By default, a single asterisk (*) means there are no restrictions. This will allow you to easily join multiple Safeguard for Privileged Passwords appliances together to form a cluster. In addition, you will also be able to link to a Safeguard for Privileged Sessions appliance. However, as a best practice, you should change or delete this value after configuring your cluster. It is recommended to set it to the empty string to prevent external CORS requests and login redirects to unknown servers. Or, set it to a list of known servers that integrate with the Safeguard API.

One or more values can be separated by a space, comma, or new line. Do not include the scheme, port, or path. The maximum length for the setting is 512 characters, including separators. Example values and additional details can be seen in the following table.

Table 58: Value detail

IPv4

No reverse DNS lookup will be performed. No scheme or port values are considered.

10.5.33.37

192.168.0.2

IPv6

No reverse DNS lookup will be performed. No scheme or port values are considered.

2001:0db8:85a3:0000:0000:8a2e:0370:7334

2001:0db8:85a3:0:0:8a2e:0370:7334

2001:db8::1:0:0:1

2001:db8::2:1

2001:db8::1

DNS/Host Names

Case insensitive match. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent.

spp.contoso.corp

primary.spp.contoso.corp

widget.contoso.corp

widget

DNS Wildcards

Only one level to the wildcard is allowed, just like SSL certificates. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent.

*.spp.contoso.corp

*.contoso.corp

CIDR Notation

Any DNS or host name values being validated will have DNS lookup performed to see if any resolved IP addresses are contained within any of the specified CIDR networks. No scheme or port values are considered.

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

76.240.155.0/24

fd12:3456:789a:1::/64

fd00::/8

Allow All

A single asterisk, no other values allowed.

*

Allow None

Delete all values and leave as the empty string.

 

Considerations:

  • When adding a new node to the Safeguard for Privileged Passwords cluster, the node’s host name or IP address must be specified in this list, or enter a single asterisk to allow all.
  • When linking Safeguard for Privileged Sessions to Safeguard for Privileged Passwords, the host name or IP address of the Safeguard for Privileged Sessions appliance must be specified in this list, or enter a single asterisk to allow all.
  • As a best practice, after clustering (or if using just a single appliance/VM), change the setting value to the empty string or a list of integration applications you wish to allow.

To set up Trusted Servers, CORS and Redirects:

  1. Go to Trusted Servers, CORS and Redirects:
    • web client: Navigate to External Integration > Trusted Servers, CORS and Redirects.
  2. Refresh: Update the information displayed.
  3. In Allow Hosts, enter the list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. As mentioned above, the default is a single asterisk (*) which means there are no restrictions.
  4. Click Save (web client).

Real-Time Reports

Safeguard for Privileged Passwords allows you to view real-time information regarding your cluster, appliance schedules, scheduled platform tasks, and appliance resources.

  • Navigate to Real-Time Reports to see the information and options listed below.
    Table 59: Real-Time Reports pages
    Page Description

    Cluster Information

    Summary Lists your configured appliances.

    <appliance name>

    Individual tabs showing information for each appliance.

    Session Appliances

    Displays the link connections when a Safeguard for Privileged Sessions cluster is linked to a Safeguard for Privileged Password for session recording and auditing.

    Appliance Schedules

    Audit Log Displays information regarding the audit log schedule.
    Backup Displays information regarding the backup schedule for the appliance you are currently logged in to.

    Profile Schedule

    Displays information regarding the schedules for each profile and discovery type.

    Scheduled Platform Tasks

    Appliances Displays information on the scheduled tasks for each appliance.
    Task counts

    The left pane displays the individual tasks. Selecting the check box for a task will update the calendar (displayed in the right pane) to show the selected tasks.

    The right pane displays an interactive calendar view of the tasks. Clicking on a task in the calendar will display additional information regarding the task(s). The following options can be used to navigate the calendar:

    • : Navigates to today’s date. To locate other dates on the calendar, use the following navigation options:, , , , , and . To jump between dates that have tasks associated with them, use the following navigation options: , , , and .

    Views

    • : Switches to monthly view.

    • : Switches to weekly view.

    • : Switches to daily view.

    Appliance Resources

    This page displays graphical representations of the resources in use by the appliance you are currently logged in to. Mousing over a graph will provide additional information on the percentages displayed.

  • Safeguard Access

    Safeguard for Privileged Passwordsallows you to configure settings related to accessing Safeguard for Privileged Passwords.

    Go to Access settings:

    • web client: Navigate to Safeguard Access.
    Table 60: Safeguard for Privileged Passwords Access settings
    Setting Description

    Messaging settings

    Where you set Login Notification and the Message of the Day

    Local Login Control Where you configure the user login control settings
    Local Password Rule Where you configure user password complexity rules

    Time Zone

    Where you can set the time zone and select whether or not users can change their time zone

    Identity and Authentication

    Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating