Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions


In an access request policy, a Security Policy Administrator can require that a requester provide a reason for requesting access to a password, SSH key, or session. Then, when requesting access, the user can select a predefined reason from a list. For example, you might use these access request reasons:

  • Software Updates
  • System Maintenance
  • Hardware Issues
  • Problem Ticket

To configure access request reasons

  1. Navigate to Security Policy Management > Settings > Reasons.
  2. Click Add to add a new reason.
  3. In the New Reason dialog, enter the following:
    1. Name: Enter a name for the reason. Limit: 50 characters

    2. Description: Enter a description for the reason. Limit: 255 characters

  4. Click Save.

To edit a reason, select a previously configured reason and click Edit.

To delete a reason, select a previously configured reason and click Delete.

User Management

In the web client, expand the User Management section in the left navigation pane.


A user is a person who can log in to SPP. You can add both local users and directory users. Directory users are users from an external identity store such as Microsoft Active Directory. For more information, see Users and user groups.. in Overview of the Entities.

Your administrator permissions determine what you can view in Users. Users displayed in a faded color are disabled. The following table shows you the tabs that are available to each type of administrator.

  • Authorizer Administrator: General, History
  • User Administrator: General, User Groups (directory users only), History
  • Help Desk Administrator: General, History
  • Auditor: General, Owned Objects, User Groups, Entitlements, Linked Accounts, History
  • Asset Administrator: General, Owned Objects
  • Security Policy Administrator: General, User Groups, Entitlements, Linked Accounts, History

The Authorizer Administrator typically controls the Enabled/Disabled state. For more information, see Activating or deactivating a user account..

Go to Users:

  • web client: Navigate to Security Policy Management > Users
Users view

The Users view displays the following information about a selected user:

  • Properties tab (user): Displays the authentication, contact information, location, and permissions for the selected user.
  • User Groups tab (user): Displays the user groups in which the selected user is a member.
  • Entitlements tab (user): Displays the entitlements in which the selected user is a member; that is, an entitlement "user".
  • History (user): Displays the details of each operation that has affected the selected user.

Use these toolbar buttons to manage users:

  • New User: Add users to SPP. For more information, see Adding a user..
  • Delete: Remove the selected user. For more information, see Deleting a user..
  • View details: View and edit the details for a selected user.
  • Permissions: Display the Permissions dialog showing what administrative permissions apply to the selected user.
  • Set Password: Use this option to set a password for a local user.
  • Unlock: Use this option to unlock the account of a local user.
  • Activate User: Use this option activate the account of a selected user.
  • Deactivate User: Use this option to deactivate the account of a selected user.
  • Import: Use this button to add users to One Identity Safeguard for Privileged Passwords using a CSV file. For more information, see Importing objects.
  • Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.
  • Refresh: Update the list of users.
  • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box..

Properties tab (user)

The Properties tab lists information about the selected user.

To access Properties tab, in the web client, navigate to User Management > Users > View Details > Properties.

Table 219: Users Properties tab: Identity properties



Identity Provider

The source from which the user’s personal information comes from and is synchronized with.


A user's display name.

First Name

The user's first name.

Last Name

The user's last name.

Work Phone

The user's work telephone number.

Mobile Phone

The user's mobile telephone number.


The user's email address.


The description text entered the user information was added or updated. This may be entered on the User dialog, Identity tab in the Description text box.


User can change their time zone, by default. Or, the User Administrator can prohibit a user from changing the time zone, possibly to ensure adherence to policy. For more information, see Time Zone.Time Zone in the Safeguard for Privileged Passwords Administration Guide.

Table 220: Users Properties tab: Authentication properties



Authentication Provider

How the user authenticates with SPP:

  • Certificate: With a certificate

  • Local: With a user name and password.

  • Directory name: With directory credentials.

Login name

The identifier the user logs in with.

Domain Name

If the primary Authentication Provider is a directory, this indicates the directory's domain name.

Distinguished Name

The distinguished name for authentication.

Secondary Authentication

If you set up a user to require secondary authentication, this indicates the name of this user's secondary authentication service provider.

Secondary Authentication Username

The name of the user account on the secondary authentication service provider required at log in.

Password Never Expires

When enabled, this field indicates the password associated with the user does not expire.

User Must Change Password at Next Login

When enabled, this field indicates the user will be prompted to change their password the next time they login.

Require Certificate Authentication

When enabled, a certificate will be required for authentication.

Table 221: Users Properties tab: Permission properties




Lists the user's administrator permissions or "Standard User" if user does not have administrative permissions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating