Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Creating an import file

When importing objects, such as accounts, assets, or users, SPP expects the import file to be a Comma Separated Values (CSV) file.

A CSV file is a text file used to store database entries where each line is a unique record and each record consists of fields of data separated by commas. You must not add any trailing spaces in the properties you define in the CSV file. The easiest way to create a CSV file is by using a spreadsheet program such as Microsoft Excel; however, you can use any text editor, such as Notepad, to create a comma-delineated file, as long as you save the file with a .csv file type extension.

The order of the columns is not important, but the title of the column must match the property name.

To create a customized .csv file template

  1. In the Import dialog, click Download Template to save a copy of the template properties table to a location of your choice.

  2. Locate the downloaded template and add your specific information to the template.

  3. Use the customized .csv file to import the objects.

    For more information on columns, see Template CSV file.

Template CSV file

Clicking Download Template will download a template file in which the columns will match the export column names. The following is a list of columns in each template.

Asset template

The Asset template CSV contains the following columns:

  • Name: A string containing the display name for this asset.

  • PlatformDisplayName: A string containing the name of the Platform for this asset.

  • Description: A string containing a description for this asset.

  • AssetPartitionName: A string containing the name of the Partition for this asset.

  • NetworkAddress: A string containing the network address for this asset.

  • ConnectionProperties/Port: An integer containing the port for this asset.

  • ConnectionProperties/ServiceAccountDomainName: A string containing the service account domain name if it has one.

  • ConnectionProperties/ServiceAccountName: A string containing the service account name.

  • ConnectionProperties/ServiceAccountPassword: A string containing the password to use for the service account.

  • ConnectionProperties/ServiceAccountCredentialType: A string specifying the type of credential to use to authenticate to the asset.

    The possible values are None, Password, SshKey, DirectoryPassword, LocalHostPassword, AccessKey, AccountPassword, Custom, Starling.

  • ConnectionProperties/AccessKeyId: A string containing an access key ID for AWS password management.

  • ConnectionProperties/SecretKey: A string containing a secret key for AWS password management.

  • ConnectionProperties/ServiceAccountDistinguishedName: A string containing the LDAP distinguished name of a service account. This is used for creating LDAP directories.

  • ConnectionProperties/UseSslEncryption: Do not use SSL encryption for LDAP directory, valid values are true, false, or leave it empty.

  • ConnectionProperties/VerifySslCertificate: Do not verify Server SSL certificate of LDAP directory, valid values are true, false, or leave it empty.

  • ConnectionProperties/PrivilegeElevationCommand: A string containing the privilege elevation command, ex. sudo.

  • ConnectionProperties/ServiceAccountSshKey/PrivateKey: A string containing the service accounts private key.

  • ConnectionProperties/ServiceAccountSshKey/Passphrase: A string containing the passphrase to access the service account private key, blank if not needed.

  • SshHostKey/SshHostKey: A string specifying the SSH host key for this asset.

AssetAccount template

The AssetAccount template CSV contains the following columns:

  • Name: A string containing the name for the account.

  • Description: A string containing the description for the account.

  • DomainName: A string containing the domain name for the account.

  • DistinguishedName: A string containing the distinguished name for the account.

  • Asset/Name: A string containing the asset that contains this account.

AssetAccountPassword template

The AssetAccountPassword template CSV contains the following columns:

  • Name: A string containing the name of the account to set the password on.

  • Asset/Name: A string containing the name of the asset that contains this account.

  • Asset/AssetPartitionName: A string containing the name of the partition of the asset that contains this account.

  • Password: A string containing the password to set on this accout.

AssetAccountSshKey template

The AssetAccountSshKey template CSV contains the following columns:

  • Name: A string containing the name of the account to set the SSH key on.

  • Asset/Name: A string containing the name of the asset that contains this account.

  • Asset/AssetPartitionName: A string containing the name of the partition of the asset that contains this account.

  • PrivateKey: A string containing the Private Key.

  • Passphrase: A string containing the passphrase to access the Private Key, blank if not needed.

  • Comment: A string containing the SSH Key comment.

User template

The User template CSV contains the following columns:

  • Name: A string containing the username to give to the new user.

    NOTE: Names must be unique per identity provider.

  • FirstName: A string containing the first name of the user.

  • LastName: A string containing the last name of the user.

  • Description: A string containing the description of the user.

  • EmailAddress: A string containing the email address of the user.

  • WorkPhone: A string containing the work phone number of the user.

  • MobilePhone: A string containing the mobile phone number of the user.

  • AdminRoles: A string containing the permissions (admin roles) to assign to the user.

    Use the following format: "[""permission"",""permission"",""permission""]"

    The valid values are GlobalAdmin, ApplicationAuditor, SystemAuditor, Auditor, AssetAdmin, ApplianceAdmin, PolicyAdmin, UserAdmin, HelpdeskAdmin, OperationsAdmin.

  • DirectoryProperties/DomainName: A string containing the DNS name of the domain this user is in.

  • PrimaryAuthenticationProvider/Name: A string containing the name of the authentication provider.

  • PrimaryAuthenticationProvider/Identity: A string containing the identity of the user to authenticate with.

  • Password: A string containing the password.

Security Policy Management

In the web client, expand the Security Policy Management section in the left navigation pane.

Access Request Activity

The Access Request Activity page allows Security Policy Administrators to review and manage access requests from a single location. Clicking one of the access request tiles on the page displays additional information about the access requests belonging to that category. In addition, you can review the request workflow, launch a live session, end a session, or revoke a specific request.

This dashboard is available to SPP users assigned the following administrative permissions:

  • Auditor: Read-only view.
  • Security Policy: Full control.
Access requests: Tiles

Clicking any of the following tiles will open a dialog showing additional information. Click the button to customize the tiles that are displayed.

  • Open Requests: Displays a list of all currently opened access requests, including session requests and password release requests.
  • Pending Approval: Displays a list of access requests to be approved.
  • Pending Review: Displays a list of access requests to be reviewed.
  • Open Sessions: Displays a list of all currently opened sessions.
  • Passwords Out: Displays a list of all password release requests that are currently checked out.
  • SSH Keys Out: Displays a list of all SSH key release requests that are currently checked out.
  • API Keys Out: Displays a list of all API key release requests that are currently checked out.
Access requests: Toolbars

After opening one of the tiles, use the toolbar at the top of the details grid to perform the following tasks.

  • View Details: Select to view additional information regarding the request.
  • Request Workflow Details: Select to review the transactions that took place in the selected request. Clicking this button displays the Request Workflow dialog allowing you to audit the transactions that occurred during the request's workflow from request to approval to review.
  • Session Audit Log in SPS: Click this button to open the session audit log in Safeguard for Privileged Sessions.
  • View Live Session: Select to view a live session for the selected session request. Clicking this button launches the Desktop Player (minimum version supported is 1.11.15) allowing you to follow an active session.

    For details on using the Desktop Player, go to One Identity Safeguard for Privileged Sessions - Technical Documentation. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.

  • Terminate Live Session: Select to close the live session for the selected session request.
  • Close Request: Select to retract the selected access request.
  • Export: Select to create a .csv or .json file of the currently displayed access request grid and save it to a location of your choice. The time is set according to the user time zone.

  • Columns: Select to display a list of columns that can be displayed in the grid. Select the check box for data to be included in the grid. Clear the check box for data to be excluded from the grid.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating