Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Certificates Toolbar

  • Upload Certificate: Add an existing, or redeem or fulfill a pending certificate signing request (CSR).

  • Delete Selected: Delete the selected certificate from SPP.

  • Edit: Modify the selected certificate.

  • Download Certificate: Download the selected certificate.

  • Replace Certificate: Replace the current certificate with another certificate. Preserves other properties and information on the certificate item, such as shared with users. The replaced certificate will be stored in the history.

  • History: Check the history of the selected certificate.

  • Refresh: Update the list of certificates.

  • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute, click Search and select an attribute to search. For more information, see Search box.

Enterprise Password Vault

The Enterprise Password Vault, similar to the Personal password vault, extends security and credential protection to users to store and manage passwords, but it adds more capabilities. The Enterprise Password Vault requires the purchase of an additional license to activate. Users must then be granted the Enterprise Vault permission. If you currently use the free Personal password vault, after adding the license to SPP, any users granted that permission will automatically be updated and granted permission to the Enterprise Vault.

Capabilities include:

  • Users can use the Safeguard Enterprise Password Vault browser extension, which provides easy access to the username and password information for websites without opening the SPP web client.

  • Users can store any number of passwords, set optional expiration dates, and share passwords.

  • Users can set a time-based one-time password (TOTP) authenticator.

  • Users have a history of personal password changes. This is handy if the user changes the password in the vault but not on the target account or if the user needs to work from a backup.

  • Users can share a password with multiple users and groups. For example, when one person owns an account used by a team, they can give coworkers access to a password.

  • Users can store passwords in an organization sanctioned and controlled tool.

  • Passwords are secured and encrypted within SPP, not the user's personal machine. In addition, they are stored separately from other SPP-managed account passwords.

  • Administrators can recover passwords of a disabled user by reassigning them to a new user.

  • The Enterprise Password Vault audits the retrieval and change of passwords so administrators know when users pulled information from the vault.

IMPORTANT: The Enterprise Vault permission, like any other permission, can be set explicitly on a user or inherited from a Directory Group. If a user with the Enterprise Vault permission stores one or more passwords and then later has the permission revoked, either explicitly or by having been removed from all Directory Groups from which they inherited it, the user will no longer be able to access Enterprise Vault features, but the user’s data within the vault will still be maintained. If at any point the user is granted the Enterprise Vault permission again, they regain access to all of their existing data.

For more information, see Permissions tab (add user)..

The Enterprise Vault page toolbar functions follow.

Table 226: Enterprise Vault: Toolbar

Option

Description

New

Add an entry to the Enterprise Password Vault.

Remove

Remove one or more selected entries from the Enterprise Password Vault. After an entry is removed, you will not have access to the credentials.

Refresh

Refresh the list of entries.

Edit

Modify the selected entry.

Stop Sharing

Select one or more entries and click Stop Sharing.

NOTE: Only the owner of the entry can stop all sharing.

Copy Account Name

Copy the account name of the selected entry.

Copy

Copy the password of the selected entry.

Open URL

Click to open the URL web address entered when the password was added or edited.

Browser Extension

Click to get the Safeguard Enterprise Password Vault browser extension from the Chrome Web Store or to download it from the web client.

Import

Click to open a drop-down and import password data in a CSV file from different password manager applications. To import a CSV file containing the fields of the Enterprise Password Vault account(s), click Import CSV.

TIP: To check what information is required in the CSV file, click Download Template. Fields Name and AccountName are mandatory.

The Download Template option is only available for Import CSV.

Export

Click to open a drop-down and export the password data of the selected Enterprise Password Vault entry to a CSV or JSON file. For more information, see Exporting data.

TIP: To specify which fields to export, click Fields, select the fields to be included in the export file, and click OK. You can also sort and limit the results.

Columns

Click to select the columns you want to display.

NOTE: The following columns are not displayed by default:

  • URL: The URL the credential applies to.

  • Notes: The notes added to the entry.

Search

Click to see a list of searchable elements, or enter search characters. For more information, see Search box.

The grid displays entry details for various applications and systems.

Table 227: Enterprise Vault: grid

Name

A meaningful name given to the application or account to access, for example Company X (Twitter).

Account Name

The user name used for log on authentication.

URL

The URL the credential applies to. This column is not displayed by default.

Notes

The notes added to the entry. This column is not displayed by default.

Expires

The date the credential is expired.

Shared

Shows if the credential is shared. Click the filter to filter based on whether the credential is shared or not.

  • true if the credential is shared with at least one user and/or user group.

  • false if the credential is not shared with a user or user group.

Owner

The owner of the Enterprise Password Vault entry.

For more information on managing the Enterprise Password Vault, see the following sections:

Creating an Enterprise Password Vault entry

Use the Enterprise Vault page of the SPP web client to create a new Enterprise Password Vault entry.

NOTE: You cannot add any credential information, that is, set a new password or TOTP authenticator until the vault entry has been created.

To create an Enterprise Password Vault entry

  1. On the Enterprise Vault page, click New Entry.

  2. Enter the following values.

    1. Name: Enter a meaningful name for the application or account to access, for example Company X (Twitter).

    2. Account Name: Enter the user name you use to log on for authentication.

    3. URL: Enter the web address of the application or system, for example, Amazon.com. Click Open URL to test the link. You can also Copy the URL.

    4. Notes: Enter any free form notes that are helpful for you or for the person with whom you may share the password. You can also use Notes for information about an application or system, such as certifications or keys. The limit is 2000 characters.

    5. (Optional) One Identity recommends that you set an expiration date to protect your access.

      Select Have the Entry Expire on Date, and in Expires, set an expiration date. You can enter the date, click the calendar to select a date, or click Sharing Expires to select a week or month interval.

  3. Click OK.

Sharing your Enterprise Password Vault with another user or user group

Use the Enterprise Vault page of the SPP web client to share your Enterprise Password Vault with another user or user group.

To share your Enterprise Password Vault with another user or user group

  1. On the Enterprise Vault page, select an entry to share.

  2. Double-click the entry or click Edit Entry and navigate to the Sharing tab.

  3. On the Sharing tab, click New Share.

  4. On the Share Credentials dialog, users and groups are available including their Display Name, Domain, and Email Address.

    Select users or user groups. To search for a user or user group, enter a value in the Search text box or click the icon then make a selection to search by Domain, Display Name, or Email Address. Enter the first letters of the value to display the matches and select the user or user group.

    NOTE: You can share credentials with any user or group, but they will only have access to the vault if an administrator gives them the Enterprise Vault permission. For more information, see Permissions tab (add user). and Properties tab (user groups).

  5. (Optional) Set the sharing end date which must be between one day and one year. In Stop Sharing, enter the date, click the calendar and select the date, or click Sharing Expires to select a week or month interval. The secrets will not be available to the user on that date.

  6. Click Save.

To stop sharing your Enterprise Password Vault with a single user or user group

  1. On the Enterprise Vault grid, the Shared column displays true if you are sharing the credential.

  2. Select the vault entry that you want to stop sharing with a single user or user group.

  3. Double-click the entry or click Edit Entry, and navigate to the Sharing tab.

  4. Select the user or user group that you want to stop sharing with, and click Stop Sharing.

To stop sharing your Enterprise Password Vault with all users and user groups

  1. On the Enterprise Vault grid, the Shared column displays true if you are sharing the credential.

  2. Select the entry that you want to stop sharing.

  3. Click Stop Sharing. The Stop Sharing dialog displays as a warning.

  4. Click Stop Sharing. This will stop sharing with all users and user groups.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating