Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding check password settings

It is the responsibility of the Asset Administrator or the partition's delegated administrator to define the rules SPP uses to verify account passwords.

Navigate to Asset Management > Profiles > View Password Profile Components > Check Password.

To add a password validation schedule

  1. Click Add to open the Check Password Settings dialog.
  2. Enter a Name of up to 50 characters for the rule.
  3. Enter a Description of up to 255 characters for the rule.
  4. Select the partition using the browse button.
  5. Optionally, complete either of these settings:

    • Reset Password on Mismatch: Select this option to automatically change a password when SPP detects the password in the appliance database differs from the password on the asset.
    • Notify Owners on Mismatch: Select this option to trigger a notification when SPP detects a password mismatch.

      NOTE: To send event notifications to a user, you must configure SPP to send alerts. For more information, see Configuring alerts.. Set up an email template for the Password Check Mismatch event type.

  6. Open the Schedule tab and choose an interval.
  7. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

    • Configure the following.

      To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      Enter a frequency for Run Every. Then, select a time frame:

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
      • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 PM
      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

    • (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.

    If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

Change Password

Change password settings are the rules SPP uses to reset account passwords.

Navigate to Asset Management > Profiles > View Password Profile Components > Change Password.

The Change Password pane displays the following about the listed change password setting rules.

Table 159: Change Password: Properties
Property Description
Name

The name of the rule.

Partition The partition that uses the rule.
Description

Information about the rule.

Schedule Displays the selected rule's schedule.

Use these toolbar buttons to manage the change password setting rules.

Table 160: Change Password: Toolbar
Option Description
Add Add a change password rule. For more information, see Adding change password settings..
Delete

Remove the selected rule.

Refresh Update the list of change password rules.
Edit Modify the selected rule.

Search

To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box..

Adding change password settings

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules SPP uses to reset account passwords.

IMPORTANT: Passwords for accounts associated with a password sync group are managed based on the profile change schedule and processed via the sync group. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue. For more information, see Password sync groups..

Navigate to Asset Management > Profiles > View Password Profile Components > Change Password.

To add a password reset schedule

  1. Click Add to open the Change Password Settings dialog.
  2. Enter a Name of up to 50 characters for the rule.
  3. Enter a Description of up to 255 characters for the rule.
  4. Select a partition using the Browse button.
  5. Optionally, complete any of these settings:

    • Change Passwords Manually. For more information, see How do I manage accounts on unsupported platforms..
    • Change the password even if release is active: Select this option to allow a password change even when a password release is active.

    • Require current password: Select this option to require a current password.

    • Suspend account when checked in: Select this option to automatically suspend managed accounts that are not in use. That is, the account on a managed asset is suspended until a request is made for it through SPP, at which time SPP restores the account. Once the request is checked in or closed, the account is again suspended.
      Click the supported platforms link to display a list of platforms that support this feature.

    • Reschedule for unscheduled password change: Select this option to reset the password schedule when a password is manually changed. For example: a password reset is scheduled to occur every 10 days, but on day 8 the password is manually changed. Due to this manual reset, the schedule will restart so that the next password reset will occur in 10 days rather than keeping the original scheduled reset (which would have been in 2 days).

    NOTE: All options listed below are supported only on Windows platforms. Expand the Windows Only section to view these options.

    • Update service on password change (Windows Only): For Windows services that are configured to run as a local managed account or a dependent AD account on an asset, select this option to ensure that the password change is also applied to each service the account runs. If the service is running as a dependent AD account, the windows asset and the dependent Active Directory account must be in the same profile.

    • Restart service on password change (Windows Only): For Windows services that are configured to run as a local managed account or a dependent AD account on an asset, select this option to ensure that there is an automatic restart after the password is changed. For a local account, the profile assigned to the account is used. For an AD account, the profile assigned to the asset is used.

    • Update IIS app pool on password change (Windows Only): For IIS App pools that are configured to run as a local managed account or a dependent AD account on an asset, select this option to ensure that the password change is also applied to each IIS App pool the account runs. If the service is running as a dependent AD account, the windows asset and the dependent Active Directory account must be in the same profile.

    • Update COM+ on password change (Windows Only): For Com+ applications that are configured to run as a local managed account or a dependent AD account on an asset, select this option to ensure that the password change is also applied to each COM+ application the account runs. If the service is running as a dependent AD account, the windows asset and the dependent Active Directory account must be in the same profile.

    • Update task on password change (Windows Only): For scheduled tasks that are configured to run as a local managed account or a dependent AD account on an asset, select this option to ensure that the password change is also applied to each task the account runs. If the service is running as a dependent AD account, the windows asset and the dependent Active Directory account must be in the same profile.

  6. (Only Linux, Unix, and Windows SSH platforms) (Optional) On the Dependent Systems tab, click Edit to configure a custom dependency that will run a command on an asset to perform custom updates when a password is changed for a dependent account. The following configuration options are available:

    IMPORTANT: When configuring custom dependency commands, the following information should be kept in mind:

    • Any valid command on the asset that is accessible to the service account can be configured to run as a dependency. NO VALIDATION will be performed by Safeguard on the command.

    • You cannot discover services, or automatically configure dependencies on Linux/Unix.

    • A directory account can be manually configured as a dependent account on Linux/Unix.

    • If you add a directory account as a dependent account for a Linux/Unix asset, the asset's profile will determine the action (including any custom commands) to take when the AD account password changes.

    • Local accounts are automatically dependent accounts if a custom dependency is configured in the account's password profile.

    • For AD accounts, custom dependencies will only run after a successful password change; and will run on each Unix or Linux asset configured as a dependent asset, rather than on the AD asset.

    • For AD accounts, any commands configured to run before a password change or after a failed password change will be ignored.

    • Run custom command before password change: Select this option to configure a custom dependency that is run before a password change occurs on a dependent account.

      • Command: This is the command that will be run. It is a free format string that should identify the fully qualified path of the command to be run. It can contain tokens that will be resolved using the account details when the operation runs.

        You can use the Insert Command Token drop-down to add tokens to the field. For example, selecting AssetName will add %{AssetName}% to the Command field. The AssetName token will then be replaced when the operation is run on an asset.

      • Command Line Arguments: These are the arguments that will be passed on the command line. It can contain tokens that will be resolved using the account details when the operation runs. The command line arguments should be quoted appropriately (for example, an argument that contains a space must be quoted).

        You can use the Insert Command Line Argument Token drop-down to add tokens to the field. For example, selecting UserKey will add %{UserKey}% to the Command Line Arguments field.

      • Stdin Arguments: The is an ordered list of arguments that will be written to stdin when the command is run. Each string in the list will be written as a separate line and can contain tokens.

        You can use the Insert Stdin Argument button to open a dialog that allows you to enter a string value. You can also use the Insert Stdin Argument Token drop-down to select from a list of tokens that be included. For example, selecting DelegationPassword will add %{DelegationPassword}% as a string in the Stdin Arguments section.

      • Stop On Fail: When selected, the password change will not be run if the custom dependency command fails.

      • Log Command: When selected, the command to be run will be logged.

      • Log Command Arguments: When selected, the command line arguments will be logged.

      • Log Stdin Arguments: When selected, the arguments written to stdin will be logged.

      • Log Stdout: When selected, the output generated by the command will be logged.

    • Run custom command after successful password change: Select this option to configure a custom dependency that is run after a successful password change on a dependent account.

      • Command: This is the command that will be run. It is a free format string that should identify the fully qualified path of the command to be run. It can contain tokens that will be resolved using the account details when the operation runs.

        You can use the Insert Command Token drop-down to add commands to the field. For example, selecting AssetName will add %{AssetName}% to the Command field.

      • Command Line Arguments: These are the arguments that will be passed on the command line. It can contain tokens that will be resolved using the account details when the operation runs. The command line arguments should be quoted appropriately (for example, an argument that contains a space must be quoted).

        You can use the Insert Command Line Argument Token drop-down to add commands to the field. For example, selecting UserKey will add %{UserKey}% to the Command Line Arguments field.

      • Stdin Arguments: The is an ordered list of arguments that will be written to stdin when the command is run. Each string in the list will be written as a separate line and can contain tokens.

        You can use the Insert Stdin Argument button to open a dialog that allows you to enter a string value. You can also use the Insert Stdin Argument Token drop-down to select from a list of tokens that be included. For example, selecting DelegationPassword will add %{DelegationPassword}% as a string in the Stdin Arguments section.

      • Log Command: When selected, the command to be run will be logged.

      • Log Command Arguments: When selected, the command line arguments will be logged.

      • Log Stdin Arguments: When selected, the arguments written to stdin will be logged.

      • Log Stdout: When selected, the output generated by the command will be logged.

    • Run custom command after failed password change: Select this option to configure a custom dependency that is run after a password change fails for a dependent account.

      • Command: This is the command that will be run. It is a free format string that should identify the fully qualified path of the command to be run. It can contain tokens that will be resolved using the account details when the operation runs.

        You can use the Insert Command Token drop-down to add commands to the field. For example, selecting AssetName will add %{AssetName}% to the Command field.

      • Command Line Arguments: These are the arguments that will be passed on the command line. It can contain tokens that will be resolved using the account details when the operation runs. The command line arguments should be quoted appropriately (for example, an argument that contains a space must be quoted).

        You can use the Insert Command Line Argument Token drop-down to add commands to the field. For example, selecting UserKey will add %{UserKey}% to the Command Line Arguments field.

      • Stdin Arguments: The is an ordered list of arguments that will be written to stdin when the command is run. Each string in the list will be written as a separate line and can contain tokens.

        You can use the Insert Stdin Argument button to open a dialog that allows you to enter a string value. You can also use the Insert Stdin Argument Token drop-down to select from a list of tokens that be included. For example, selecting DelegationPassword will add %{DelegationPassword}% as a string in the Stdin Arguments section.

      • Report of Exit Status: When selected, the exit status will be reported to SPP and the operation will be retried. When this option is not selected, SPP will report success for the operation regardless of the result.

      • Log Command: When selected, the command to be run will be logged.

      • Log Command Arguments: When selected, the command line arguments will be logged.

      • Log Stdin Arguments: When selected, the arguments written to stdin will be logged.

      • Log Stdout: When selected, the output generated by the command will be logged.

  7. On the Schedule tab, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

    • Configure the following.

      To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      Enter a frequency for Run Every. Then, select a time frame:

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
      • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 PM
      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

    • (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.

    If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

  8. Click OK.

Account Password Rules

Account password rules govern the construction of a new password created by SPP during an automatic account password change. You can create rules governing the allowable account passwords, such as:

  • Set the allowable password length in a range from 3 to 225 characters.

    IMPORTANT: The default password length for a macrocosm partition does NOT meet the password requirements for Azure AD. If you are using the Starling Connect functionality with Azure AD, you will need to set the password range between 8 and 225 characters.

  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

NOTE: You select an account password rule set when defining a partition's profile. For more information, see Creating a password profile.. An account password rule applies to all accounts governed by the profile.

Navigate to Asset Management > Profiles > View Password Profile Components > Account Password Rules.

Use these toolbar buttons to manage your account password rules.

Table 161: Account Password Rules: Toolbar
Option Description
Add

Add an account password complexity rule. For more information, see Adding an account password rule..

Delete

Remove the selected rule.

Edit

Modify the selected rule.

Refresh

Update the list of account password rules.

Search

To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box..

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating