Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Step 5: Asset Administrator adds managed systems

  1. Log in using the Asset Administrator account.
  2. Add partitions and, optionally, delegate partition ownership to other users (Adding a partition).
  3. (Optional) Set the following Password Profiles (or edit the default rules and settings defined when the partition was added):
  4. (Optional) Set the following SSH Key Profiles:
  5. (Optional) Create profiles or edit the default profiles created (Creating a password profile).
  6. Add assets to the appropriate partitions and profiles (Adding an asset).
  7. Add accounts to control access to the assets (Adding an account).

TIP: Create asset and account discovery jobs to discover and, optionally, automatically add assets and accounts to Safeguard for Privileged Passwords. For more information, see Discovery..

Step 6: Security Policy Administrator adds access request policies

  1. Log in using the Security Policy Administrator account.
  2. Set Reasons.
  3. Add user groups (Adding a user group).
  4. Add local or directory users to local user groups (Adding users to a user group).
  5. Add account groups (Adding an account group).
  6. Add accounts to account groups (Adding one or more accounts to an account group).
  7. Add entitlements (Adding an entitlement).
  8. Add users or user groups to entitlements (Adding users or user groups to an entitlement).
  9. Create access request policies (Adding an entitlement).

Using the web client

The web client uses a responsive user interface design to adapt to the user's device, from desktops to tablets or mobile phones. Only one user session will persist during a browser session. Any tabs opened after initial authentication will use the existing user session.

To log into the web client application

The following steps assume the One Identity Safeguard for Privileged Passwords Appliance has been configured and licensed. As a SPP user, if you get an appliance is unlicensed notification, contact your Appliance Administrator.

  1. From your browser, enter the SPP URL with the IP address, such as
  2. If a login notification displays, click OK to accept the notifications and restrictions stated.
  3. On the user log in screen, enter your credentials and click Log in.

Updating your avatar photo

To change your photo in the web client, expand the Username drop-down in the upper right and select My Settings. On the My Settings page, select My Account and click the circle icon with the username. Select the image file (under 64 KiB), then click Open.

Using the left navigation menu

NOTE: Use the button on mobile devices to expand and collapse the navigation menu.

The pages available to you display on the left. Clicking one of the top level headings from the left navigation menu will expand the section to display the associated subpages. For example, clicking User Management will expand the navigation menu to show all pages associated with managing users that you have permission to access.

You can reduce the left menu using the button located at the bottom of the left navigation menu.

My Settings

From My Settings, you can set a variety of controls for using the web client. The settings you see are based on your role and permissions.

Go to My Settings

In the upper right corner, next to your user name, click then My Settings to proceed.

On the My Settings dialog, the tabs available are based on your role and permissions.

Using the General tab

  • Language drop-down: Use this drop-down to change the site language. By default, this is set to Browser Language (Auto Detect).
  • About Safeguard: The Appliance Version displays.

Using the My Account tab

  • Contact Information: Click Edit to change Email, Work Phone, or Mobile Phone. Click Save to save your changes or click Cancel to revert to the previous setting.
  • Location: Select your time zone in the drop-down box. Changing your time zone may be prohibited based on your organization's security procedures. If available, choose to:
    • Display times in local computer time: This is the default. It is the time zone set on your local computer.
    • Display times in my configured time zone: This is the time zone that is set on this page.
  • Manage Email Notifications: The Manage Email Notifications dialog displays the type of events for which you are receiving email notifications. You can define the types of events for which you want to receive notifications. By default, all events are selected. If the event is Built In to SPP, a displays. When there are multiple events, an Events link appears that leads to the Subscriptions dialog listing the Name, Description, and Category of the event.
    • Clear the check box for any events for which you do not want to receive an email notification.
    • To set all check boxes, select or clear the check box at the top of the list to the left of the header.

    NOTE: When there are no delegated owners assigned to a partition, email notifications related to partitions are sent to the Asset Administrator. However, when a delegated owner is specified to manage the assets and accounts in a partition, email notifications related to partitions are sent to the delegated owner, not to the Asset Administrator.

  • Manage FIDO2 Keys (Available if you are required to perform FIDO2 two-factor authentication.): If the FIDO2 feature is enabled, at least one FIDO2 key must be registered. When a key is added, the placeholder name is Unnamed Key. You can enter a meaningful name or later edit the name. It is recommended that all users have more than one key registered in case a key is lost or damaged. For existing keys, you will see the name and date each existing key was registered and last used.
    • To change a name, enter the new name, then click Save.
    • To remove a key, click Remove by the key. One key must remain registered. If a physical security key is lost, always delete the associated key from Safeguard for Privileged Passwords.
    • To add a key, click Register New FIDO2 Key.
      1. You will be asked to insert or connect to the new key.
      2. You will be prompted to reenter your primary credentials for verification.

      3. Tap or activate your new FIDO2 key that is being registered.

      4. You may then go back to the Manage FIDO2 Key page and give your newly registered key a name, then click Save.

      For more information, see Requiring user to log in using secondary authentication.

  • Change Password: The password requirements are listed. Enter your Current Password and the New Password as directed. (Click Display or Hide to view or hide the password as it is entered.) Click Save.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating