Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Add Condition (asset discovery)

An Asset Discovery rule can have more than one condition, and each condition can have one or more constraints. When Safeguard for Privileged Passwords runs the discovery job, it finds all assets that meet all of the search conditions.

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job > Asset Discovery Rules > (add asset discovery rule) > New Asset Discovery Rule > Conditions > (add condition).

To add Find All condition

  1. In the Condition dialog, in Find By, choose Find All.

    • If you are setting up an Asset Discovery job for a directory, Browse the Filter Search Location to select a container within the directory to search for assets. Select Include objects from sub containers to include objects from sub containers or clear the check box to exclude child objects from discovery.

    • If you are setting up an Asset Discovery job for an asset, you can limit the search to selected ESX hosts (if using the VCenter platform), and/or virtual machines that are currently running.

  2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  3. Click OK.

To add LDAP Filter (for LDAP or Active Directory) condition

Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).

  1. In the Condition dialog:

    1. Find By: Choose LDAP Filter and enter the search criteria to be used.

    2. Filter Search Location: Browse to select a container within the directory to search for assets.

      TIP: Do not select the Directory Root for Asset Discovery jobs.

    3. Include objects from sub containers: Optionally, select this check box to search for assets in sub-containers.

  2. Click Preview to test the conditions you have configured.

  3. Click OK to save your selections.

To add Group for a Directory condition

This condition is only available for a Directory discovery job.

  1. In the Condition dialog:

    1. Find By: Choose Group.

    2. Click Add to launch the Group dialog.

    3. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

    4. Filter Search Location: Browse to select a container to search within the directory.

    5. Include objects from sub containers: Select this check box to include child objects.

    6. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.

  2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  3. Click OK to save your selections.

To add Constraints condition

  1. In the Condition dialog, in Find By, choose Constraints.

  2. To change the Filter Search Location, click Browse and select the search location that is the scope of the search. Network Scan Asset Discovery jobs don't support the search bases settings.

  3. To apply constraints (search criteria):

    1. Select a property:

      • Name

      • Description

      • Network Address

      • Operating System

      • Operating System Version

      NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.

    2. Select an operator:

      • Equals

      • Does Not Equal

      • Starts With

      • Ends With

      • Contains

      • Does Not Contain

    3. In the Value field, type a value of up to 255 characters. The search is not case-sensitive and does not allow wild cards.

  4. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  5. You can add or delete search constraints:

    1. Click Add to additional constraints to your search criteria.

    2. Click Delete to remove the corresponding constraint from your search criteria.

  6. Click OK to save your selections.

Edit Connection Template (asset discovery)

You can change how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets. The default Connection Template is None, meaning assets are authenticated manually.

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job dialog > Asset Discovery Rules tab > (add asset discovery rule) > New Asset Discovery Rule dialog > Connection Template tab

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To edit connection template information

  1. Navigate to the New Asset Discovery Rule dialog, and open the Connection Template tab.

  2. In the Connection Template tab, Use Discovered Platform is selected by default. By deselecting this option, you can select a different platform using the Platform field and may need to completed additional information based on the product selected.

  3. Select an Authentication Type and complete the information required for your selection.

    • SSH Key: To authenticate to the asset using an SSH authentication key, select the SSH Key Generation and Deployment Settings:

      • Automatically Generate and deploy a new SSH Key: Select this option to generate and deploy a new SSH authentication key.

      • Automatically Generate a new SSH Key that I will deploy myself: Select this option to generate the SSH authentication key and manually append this public key to the authorized keys file on the managed system for the service account. For more information, see For more information, see Downloading a public SSH key..

        NOTE:The SSH authentication key becomes available after Safeguard for Privileged Passwords creates the asset. If you do not select this option, Safeguard for Privileged Passwords automatically installs the SSH authentication key. If you do select this option, Safeguard for Privileged Passwords creates the key and associates it with the Safeguard for Privileged Passwords asset you are creating, but it does not install it on the managed system for you.

      • Import an SSH Key that I will deploy myself: Select this option, then Browse to import an SSH authentication key and enter the Password. The private key will be associated with the service account.

        NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

      • The following display based on whether you are generating or importing the SSH key:

        • SSH Key: (Import) Click Browse to select the SSH key to import. On the Import SSH Key dialog, browse for the Private Key File and enter the Password.

        • Key Comment: Enter a meaningful comment. If left blank, the comment will default to Generated by Safeguard.

        • Service Account Name: Enter the name of the service account.

        • Password: (Automatic generation) Enter the password.

        • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

        • Service Account SSH Key Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.

      • Account Name: Click Browse to choose the directory account.

      • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Password: To authenticate to the assets using a local service account and password.

      • Account Name and Password: Enter these values.

      • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Starling Connect: To authenticate to the assets using Starling Connect.

      • Account Name and Password: Enter these values.

    • None: The accounts associated with the asset are not managed and no asset related credentials are stored.

  4. The following information may be needed, based on the Authentication Type selected.

    • Login with service account name only: Selecting this option will allow Safeguard for Privileged Passwords to login the asset using only the service account name. The domain will not be used.

    • Privilege Elevation Command:

      If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

      Sudo commands follow.

      • AuthorizedKeyCommand
      Specify a program to look up the user's public keys
      • cat
      • chmod
      • chown
      • cp
      • echo
      • egrep
      • find
      • grep
      • host
      • ls
      • mkdir
      • mv
      • rm
      • sed
      • sshd
      • ssh-keygen
      • tee
      • test
      • touch
      • usermod

      When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

      The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

      The limit is 255 characters.

    • Port: Enter the port number for the connection.
    • Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.

      • RDP Port: Specify the access port on the target server to be used for RDP session requests.

      • SSH Port: Specify the access port on the target server to be used for SSH session requests.

    • Connection Timeout: Enter how long to wait (in seconds) for both the connect and command timeout.

    • Privilege Level Password: Enter the system enable password to allow access to the configuration.

    • Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).

    • Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL.

    • Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.certificate in Safeguard for Privileged Passwords's Trusted CA Certificates store. One Identity does not recommend disabling this option in production environments.

    • Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.

    • Instance/Service Name: For SQL Server platforms, specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

      For Oracle platforms, use the TNSNAMES naming method to identify the target system in Oracle. Depending on how the Oracle environment is configured, the Instance (also called SID in Oracle) and/or the Service Name (ServiceName) can be used to identify the target database.

  5. Click OK.

  6. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.

Add Asset Profile (asset discovery)

During Asset Discovery, Safeguard for Privileged Passwords automatically adds the assets that it finds and begins to manage them according to the settings in the asset profile you set on the Rules tab.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job dialog > Asset Discovery Rules tab > (add asset discovery rule) > New Asset Discovery Rule dialog > Management tab

To edit the asset profile information

  1. On the Management tab of the New Asset Discovery Rule dialog, next to Password Profile, click Browse.

  2. Select a profile to govern the discovered assets.

    NOTE: You can only choose a profile that is associated with the partition selected in the General tab (asset discovery).

  3. Click Select Password Profile to save your selection.
  4. On the New Asset Discovery Rule dialog, next to SSH Key Profile, click Browse.

  5. Select an SSH key profile to govern the discovered assets.

    NOTE: You can only choose a profile that is associated with the partition selected in the General tab (asset discovery).

  6. Click Select SSH Key Profile to save your selection.
  7. On the New Asset Discovery Rule dialog, next to Account Discovery Job, click Browse.

  8. Select account discovery job(s) for the discovered assets. Your selection(s) will automatically be saved.

    NOTE: You can only choose a profile that is associated with the partition selected in the General tab (asset discovery).

  9. Once your selections have been made, exit the Select the Account Discovery Job dialog.
  10. On the New Asset Discovery Rule dialog, use the Managed Network drop-down to select which network to use.

Schedule tab (asset discovery)

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit a Asset Discovery job).

On the Schedule tab, configure when you want to run the Asset Discovery job.

Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)

  • Select a time frame:

    • Never: The job will not run according to a set schedule. You can still manually run the job.
    • Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
    • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.

    • Days: The job runs on the frequency of days and the time you enter.

      For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.

    • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

      For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

    • Months: The job runs on the frequency of months at the time and on the day you specify.

      For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.

  • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

    For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

    Enter Run Every 10/Minutes and set Use Time Windows:

    • Start 10:00:00 PM and End 11:59:00 PM
    • Start 12:00:00 AM and End 2:00:00 AM

      An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

    If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

    For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

    For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating