Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - User Guide

Privileged access requests

One Identity Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.

In order for a request to progress through the workflow process, authorized users perform assigned tasks. These tasks are performed from the user's Home page.

As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, an Administrator can set up alerts to be sent to users when there are pending tasks needing attention. For more information, see Configuring alerts..

The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:

  • Requesters see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).

    Requesters can also define favorite requests, which may appear on their Home page and My Requests page for subsequent use.

  • Approvers see tasks related to approving (or denying) and revoking access requests.
  • Reviewers see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.

The following three workflows are available:

Configuring alerts

All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.

Email notifications

You must configure One Identity Safeguard for Privileged Passwords properly for users to receive email notifications:

  • For Local users, you must set your email address correctly in My Settings. For more information, see My Settings.
  • For Directory users, set your email correctly in the directory where your user resides.
  • The Security Policy Administrator must configure the access request policies to notify people of pending access workflow events (that is, pending approvals and pending reviews). For more information, see Creating an access request policy.
  • Contact your Security Policy Administrator to ensure the access request policies are configured to notify people of pending access workflow events.
  • The Appliance Administrator must configure the SMTP server. For more information, see Enabling email notifications.
  • Contact your Appliance Administrator to ensure the SMTP server is configured for email notifications.
Role-based email notifications generated by default

One Identity Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.

NOTE: Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications:

POST /service/core/v3/Me/Subscribers/{id}/Disable

In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API:

POST /service/core/v3/EventSubscribers

Password release request workflow

One Identity Safeguard for Privileged Passwords provides secure control of managed accounts by storing account passwords until they are needed, and releases them only to authorized persons. Then, Safeguard for Privileged Passwords automatically updates the account passwords based on configurable parameters.

Typically, a password release request follows this workflow.

  1. Request: Users that are designated as an authorized user of an entitlement can request passwords for any account in the scope of that entitlement's policies.
  2. Approve: Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.
  3. Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating