Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Entitlements

A Safeguard for Privileged Passwords entitlement is a set of access request policies that restrict system access to authorized users. Typically, you create entitlements for various job functions; that is, you assign permissions to perform certain operations to specific roles such as Help Desk Administrator, Unix Administrator, or Oracle Administrator. Password and SSH key release entitlements consist of users, user groups, and access request policies. Session access request entitlements consist of users, user groups, assets, asset groups, and access request policies. API Key release entitlements consist of accounts and account groups.

The Auditor and the Security Policy Administrator have permission to access Entitlements. An administrator creates an entitlement, then creates one or more access request policies associated with the entitlement, and finally adds users or user groups.

Go to Entitlements:

  • web client: Navigate to Security Policy Management > Entitlements

If there are one or more invalid or expired policies, a Warning and message (for example, Entitlement contains at least one invalid policy) displays. Go to the Access Request Policy tab to identify the invalid policy. For more information, see Access Request Policies tab (entitlements)..

The Entitlements view displays the following information:

  • General tab (entitlements): Displays the general and time restriction settings information for the selected entitlement.
  • Users tab (entitlements): Displays the user groups or users who are authorized to request access to the accounts or assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a SPS link and was assigned and used by a Sessions Appliance. The certificate users created during the link can be added to the Users tab but are not there by default.
  • Access Request Policies tab (entitlements): Displays the access request policies that govern the accounts or assets in the selected entitlement, including session access policies.
  • History tab (entitlements): Displays the details of each operation that has affected the selected entitlement.

Use these toolbar buttons to manage entitlements.

  • New Entitlement: add entitlements to Safeguard for Privileged Passwords. For more information, see Adding an entitlement.
  • Delete: Remove the selected entitlement. For more information, see Deleting an entitlement..
  • Edit: Select an entitlement then click this button to open additional information and options for the asset.

  • Create a New Entitlement from the Selected Row: Select an entitlement then click this button to duplicate the entitlement.

  • Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

  • Refresh: Update the list of entitlements.
  • Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box.

General tab (entitlements)

To access General:

  • web client: Navigate to Security Policy Management > Entitlements > (New Entitlement) or (Edit) > General.

The General tab lists information about the selected entitlement.

  • Name: The entitlement name.

  • Description: Information about the selected entitlement.

  • Priority: A unique number that determines the processing order of the entitlement in relation to other entitlements. For more information, see How Safeguard for Privileged Passwords evaluates policy when a user submits an access request..

  • Have the Entitlement Expire on Date and Time: Select this option to enforce an expiration date, then enter the date and time.

    When an entitlement expires, all the access request policies associated with the entitlement also expire. To set an expiration date on a policy, see Creating an access request policy.

  • Use Time Windows: Select this option to enforce time windows.

    Select and drag to highlight the hours you want to allow. Colored tiles are blocked times. Clear are available times.

Users tab (entitlements)

The Users tab displays the users and user groups who are authorized to request access for the accounts and assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a SPS link and was assigned and used by a Sessions Appliance. The certificate users created during the link can be added to the Users tab but are not there by default.

To access General:

  • web client: Navigate to Security Policy Management > Entitlements > (edit) > Users.

Click Add Users or Add User Groups from the details toolbar to add one or more requester users or user groups to the selected entitlement.

Table 201: Entitlements: User tab properties
Property Description
Type

Type of member:

  • Group
  • User
Display Name Display name of the user or user group included in the selected entitlement.

Username

Name of the user or user group included in the selected entitlement.

Provider

The name of the authentication provider:

  • Local
  • Certificate
  • The name of an external provider such as a Microsoft Active Directory domain name.

Use these buttons on the details toolbar to manage the requester users associated with the selected entitlement.

Table 202: Entitlements: Users tab toolbar
Option Description

Add Users or Add User Groups

Add a requester user group or requester user to the entitlement. For more information, see Adding users or user groups to an entitlement..

Delete

Remove the selected user or user group from the entitlement.

Export

Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

Search (case sensitive)

To locate a specific user (or user group) or set of users (or user groups) in this list, enter the character string to be used to search for a match. For more information, see Search box..

Access Request Policies tab (entitlements)

The Access Request Policies tab displays the password and SSH key request policies that govern the accounts in the selected entitlement.

To access Access Request Policies:

  • web client: Navigate to Security Policy Management > Entitlements > (Edit) > Access Request Policies.

IMPORTANT: The selection made on the Entitlement > Access Request Policy tab takes precedence over the selections on Appliance Management > Cluster > Managed Networks page. If a Managed Networks rule includes nodes from different SPS clusters, Safeguard for Privileged Passwords will only select the nodes from the same cluster that was assigned on the Session Settings page of the Access Request Policy tab.

Click New Access Policy from the details toolbar to add a policy to the selected entitlement.

Use these buttons on the details toolbar to manage your access request policies.

Table 203: Entitlements: Access Request Policies tab toolbar
Option Description

New Access Policy

Add an access request policy to the selected entitlement. For more information, see Creating an access request policy.

Delete

Remove the selected policy from the selected entitlement. For more information, see Deleting an access request policy..

Edit

Modify the selected policy. For more information, see Modifying an access request policy..

Create a New Access Policy from the Selected Row

Make a copy of the selected policy. For more information, see Copying an access request policy..

Import Access Policies from Other Entitlements

Import an access policy that was configured for a different entitlement.

Export

Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.

Search (case insensitive)

To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box..

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating