Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Security tab (create access request policy)

Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.

Navigate to:

  • web client: Security Policy Management > Entitlements > Access Request Policies > (create or edit a policy)
Table 210: Access Request Policy: Access Config tab properties

Property

Description

Include Password Release with Sessions Requests

If Access Type is RDP, SSH, or Telnet, select this check box to include a password release with session access requests.

Include SSH Key Release with Sessions Requests

If Access Type is RDP, SSH, or Telnet, select this check box to include an SSH Key release with session access requests.

Close Expired Sessions

If Access Type is RDP, SSH, or Telnet, select this check box to close sessions that have expired.

Change Password After Check-in

Select this check box if the password is to be changed after the user checks it back in. This check box is selected by default.

Change SSH Key After Check-in

Select this check box if the SSH key is to be changed after the user checks it back in. This check box is selected by default.

Passphrase Protect SSH Key

If Access Type is SSH Key, select this check box to require a passphrase for the SSH key.

Allow Simultaneous Access

Select this check box to allow multiple users access to the accounts and assets governed by this policy. Use the next check box to identify how many users can have access at once.

Maximum Users at One Time

When the Allow Simultaneous Access option is selected, enter the maximum number of users that can request access at one time.

Show Remote Desktop Wallpaper Background

Select this check box to have Remote Desktop (RDP) session requests include a client setting allowing for desktop wallpaper to be displayed. This check box is cleared by default.

NOTE: This option affects the client side RDP setting only. The server may have a Group Policy Object (GPO) that overrides the client setting. Other things may also override the result, depending on how the RDP connection information is used and made.

Asset-Based Session Access

If Access Type is RDP, RDP Application, SSH, or Telnet, select one of the following options to define the type of account credentials to be used to access any of the assets defined in the policy scope, in addition to the accounts defined in the policy scope when a session is requested:

  • None: (Default) The credentials are retrieved from the vault when the session is requested.
  • User Supplied: (Only RDP, SSH, or Telnet) The requester user must provide the credentials when the session is requested.
  • Linked Account: The requester user's account is linked to a directory account that will be used when the session is requested.
    • Enable scope filtering for linked accounts: When selected, this setting allows you to limit the number of requestable accounts to linked accounts that are also defined in the policy scope.

      NOTE: If the policy scope includes only assets/asset groups and no accounts, then the scope filtering setting has no effect, and the policy is available to all of the linked directory accounts on each scoped policy asset.

  • Directory Account: Use the Browse button to select one or more directory accounts to be used when the session is requested.

    If the Directory Account was migrated from an SPP version prior to 2.7, the directory account identifier may be blank, because earlier SPP versions understood only one assignment and version 2.7 results in multiple assignments.

Allow Password Access to Linked Accounts

If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user’s linked account is governed by the other configurations defined in this policy.

Additionally, Enable scope filtering for linked accounts can be selected in order to limit the number of requestable accounts to linked accounts that are also defined in the scope.

SPS Connection Policy

Use this drop-down to select a SPS connection policy to use with the access request policy.

RDP Host Asset

If Access Type is RDP Application, use the Browse button associated with this field to select the asset configured to connect with the Windows Application Server.

Require Host Account

If Access Type is RDP Application, select this checkbox and then click Browse to locate the host account to use. When deselected, you will be prompted for the information when the session is initialized.

Application Display Name

If Access Type is RDP Application, this is the display name for the application that was provided when the remote application was published on the Windows application server.

Use Application Alias

If Access Type is RDP Application, this is the alias name defined when the remote application was published on the Windows application server. Ensure the full alias path is used, including the two vertical bars before the alias name (for example, ||OISGRemoteAppLauncher).

If this option is used, the Use Application Path and Command Line option will not be available.

Use Application Path and Command Line

If Access Type is RDP Application, this option contains the following 2 fields:

  • Application Path (path to the remove application): Enter the full path of an application program relative to the Windows host it will be running on.

  • Application Command Line (parameters for the remote application): The Application Command Line contains the command line parameters to the application specified in the Application Path. The command line depends on the application. For example, some applications may require a set command line that will include the full path of the remote application along with its command line parameters while other applications may not require a set command line at all.

If this option is used, the Use Application Alias field will not be available.

Use Alternate Login Name

If this option is selected, the alternate login name for the account will be used.

Scope tab (create access request policy)

Use the Scope tab in the web client to assign accounts, account groups, assets, and asset groups to an access request policy.

To assign accounts, account groups, assets, and asset groups to an access request policy

  1. In the web client, navigate to Security Policy Management > Entitlements > Access Request Policies, then create or edit a policy.

  2. On the Scope tab:

    1. Click Add from the details toolbar and select one of the following options:

      • Add accounts to this policy

      • Add account groups to this policy

      • Add an asset to this policy

      • Add an asset group to this policy

    2. In the dialog, make a selection, and click OK.

      If you do not see the selection you are looking for, depending on your Administrator permissions, you can create it in the dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)

  3. Repeat step one to make additional selections. You can add multiple types of objects to a policy; however, you can only add one type of object, like an accounts or account group, at a time.

All of the selected objects appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click Delete.

Workflow tab (create access request policy)

In the web client, the Workflow tab is split in to three tabs that allow you to configure the requester, approver, and reviewer settings for an access request policy:

Navigate to:

  • web client: Security Policy Management > Entitlements > Access Request Policies > (create or edit a policy)
Requester tab

Use the Requester tab to specify the requester settings for an access request policy.

Table 211: Access Request Policy: Requester tab properties
Property Description
Duration of Access Approval

Enter or select the default duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy. The access duration cannot exceed a total of 31 days (44,640 minutes).

Allow Requester to Change Duration Select this check box to allow the requester the ability to modify the access duration.
Maximum Time Requester Can Have Access

If you select the Allow Requester to Change Duration option, you can set the maximum duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy.

The default access duration is seven days. The maximum access duration is 31 days.

The users can change the access duration, but they cannot access the accounts or assets governed by this policy for longer than the maximum access duration time.

Allow Emergency Access

Select this option to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access.

Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset.

Ignore Time Restrictions

Select this option to ignore time restrictions when a user requests emergency access. Clear this option if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period.

Notify When Account is Released with Emergency access | To

(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user.

You can enter email addresses for non-Safeguard for Privileged Passwords users.

To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts..

IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified..

Require Comment

Select this check box to require that a requester provide a Comment when making an access request.

Reasons

Click Add to add one or more reasons to the selected access request policy. Then, when requesting access to a password, SSH key, or a session, a user can select a predefined reason from a list. Click OK to add a reason.

NOTE: You must have reasons configured in Safeguard for Privileged Passwords to use this option. For more information, see Reasons.. If you do not see the reason you are looking for, you can create a reason from the Reasons dialog by clicking the New toolbar button.

Require Reason Code

Select this option to require that a requester provide a Reason when requesting access. This option is only available if you have selected Reasons for the policy.

If you add reasons to a policy, and leave this option cleared, the users will have the option of choosing a reason; but they will not be required to select a reason.

Approver tab

Use the Approver tab to specify the approver settings for an access request policy.

Table 212: Access Request Policy: Approver tab properties
Property Description

Auto-Approved

Select this option to automatically approve all access requests for accounts and assets governed by this policy.

Notify when Account is Auto-Approved | To

(Optional) When no approvals are required, enter an email address or select To to choose a user to notify when access is auto-approved.

If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts..

Approvals Required

Select this option to require approval for all access requests for accounts and assets governed by this policy. Enter the following information:

  • Qty: Enter or select the minimum number of approvals required from the selected users or user groups listed as Approvers.
  • Approvers: Browse to select one or more users or user groups who can approve access requests for accounts and assets governed by this policy.

    Click  Add an Approval Group or  Delete to add or remove approver sets.

    The order of the approver sets is not significant, but all requirements must be met; that is, a request must obtain the number of approvals from each approver set defined.

    The users you authorize as approvers receive alerts when an access request requires their approval if they have Safeguard for Privileged Passwords configured to send alerts.

    TIP: As a best practice, add user groups as approvers rather than individuals. This makes it possible to add an individual approver to a pending access request. In addition, you can modify an approvers list without editing the policy.

Notify if approvers have pending requests after

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before notifying the escalation notification contact list about pending approvals.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user. You can enter email addresses for non-Safeguard for Privileged Passwords users.

IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified..

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts..

Cloud Assistant has been enabled. View enabled users.

Indicates that Safeguard for Privileged Passwords is joined to Starling and registered as a sender with Cloud Assistant. Click the users link to view a list of the users who are authorized to approve requests using this feature.

You can add users as Cloud Assistant approvers by clicking the Add toolbar button in the Cloud Assistant Users dialog.

Reviewer tab

Use the Reviewer tab to specify the reviewer settings for an access request policy.

Table 213: Access Request Policy: Reviewer tab properties
Property Description

Review Not Required

This check box is selected by default, indicating that no review is required for completed access requests for accounts and assets governed by this policy.

Review Required

Select this check box to require a review of completed access requests for accounts and assets governed by this policy.

  • Qty: Enter or select the minimum number of people required to review a completed access request.
  • Browse to select one or more users or groups of users who can review access requests for accounts and assets governed by this policy.

A reviewer can only review an access request once it is completed.

The users you authorize as reviewers receive alerts when an access request requires their review if they have Safeguard for Privileged Passwords configured to send alerts.

TIP: As a best practice, add user groups as reviews rather than individuals. This makes it possible to add an individual reviewer to a pending access request. In addition, you can modify a reviewers list without editing the policy.

Require Comment

Select this check box if the reviewer is required to enter a comment when reviewing an access request.

Pending Reviews Do Not Block Access

Select this check box when you want to allow new access requests whether a prior request is approved or not approved. In other words, no requests will be blocked based on the approval status of a prior request.

Notify If Reviewers Have Pending Reviews After

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before reminding the escalation notification contact list about pending reviews.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user.

You can enter email addresses for non-Safeguard for Privileged Passwords users.

To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts..

IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified..

Adding users or user groups to an entitlement

When you add users to an entitlement, you are specifying which people can request passwords to the accounts governed by the selected entitlement's access request policies, or which people can request sessions for the accounts and assets governed by the selected entitlement's access request policies. A user can be a Sessions Appliance certificate user. For more information, see Session Appliances with SPS link..

It is the responsibility of the Security Policy Administrator to add users to entitlements. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions..

To add requester users to an entitlement

  1. Navigate to Security Policy Management > Entitlements.
  2. In Entitlements, select an entitlement from the list and click the Users tab.
  3. Click  Add Users or Add User Groups from the details toolbar.
  4. Select one or more users or user groups from the list in the Users or User Groups dialog.
  5. Click OK.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating