Welcome to the One Identity Safeguard for Privileged Sessions 5 F7 Administrator Guide!
This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (Safeguard for Privileged Sessions). Background information for the technology and concepts used by the product is also discussed.
This guide is a work-in-progress document with new versions appearing periodically.
The latest version of this document can be downloaded from the Safeguard for Privileged Sessions Documentation page.
When you have a cluster of nodes set up, you can now search all session data recorded by all nodes in the cluster on a single node. For details, see Searching session data on a central node in a cluster.
The RPC API is deprecated as of version 5 F7 of SPS and will be removed in an upcoming feature release. For detail, see The Safeguard for Privileged Sessions RPC API.
When you have a set of two or more One Identity Safeguard for Privileged Sessions instances in your deployment, you now have the possibility to join them into a cluster, and manage them from one central location. You can monitor their status and update their configuration centrally. For details, see Managing Safeguard for Privileged Sessions clusters.
In the Search interface, it is now possible to use the flow view for a quick visualization of the session activities. For details, see Using the Search interface.
It is now possible to specify an accuracy level for Optical Character Recognition (OCR). For details, see Configuring the internal indexer.
It is now possible to specify the base DN of LDAP subtrees for users and for groups separately. Specifying a sufficiently narrow base for the LDAP subtrees can speed up LDAP operations. For details, see Managing Safeguard for Privileged Sessions users from an LDAP database and Authenticating users to an LDAP server.
You now have the option to configure connection policies with near real-time indexing priority, meaning that you can start indexing sessions while they are still ongoing. This requires that you configure your indexers with the appropriate settings and capabilities. For details, see Configuring the internal indexer and Configuring the external indexer.
It is now possible to use a hardware security module (HSM) or a smart card to store the decryption keys required for decrypting audit trails when using an external indexer. For details, see Indexing audit trails.
In the Search interface, it is now possible to display statistics, analyze data using Privileged Account Analytics, and use the timeline for a quick time range selection. For details, see Using the Search interface.
The documentation of the obsolete Audit Player application has been removed from the document. For the documentation of the Safeguard Desktop Player application, see Safeguard Desktop Player User Guide.
Using the Search interface has been added to the document.
Configuring RDP banners has been documented in Creating and editing protocol-level RDP settings.
The steps describing how to recover from a split brain situation have been clarified. For more information, see Troubleshooting Safeguard for Privileged Sessions.
The screenshots and descriptions in Troubleshooting Safeguard for Privileged Sessions have been updated.
The open source licenses that apply to certain components of Safeguard for Privileged Sessions have been consolidated into Third-party contributions.
The documentation of the obsolete Audit Player application has been moved to an appendix. For the documentation of the Safeguard Desktop Player application, see Safeguard Desktop Player User Guide.
Uploading decryption keys to the external indexer has been updated.
Safeguard for Privileged Sessions's RESTful API has been enhanced with the following new functionalities:
New content endpoint: /api/audit/sessions/<session-id>/content. It enables you to search in the contents of individual connections. For details, see "Searching in connection content" in the REST API Reference Guide
Filter events: The filtering functionality is now added to the api/audit/sessions/<session-id>/events endpoint, too. You can now search in the events of individual connections. For more information, see "Session events" in the REST API Reference Guide
In order to better integrate PSM with Privileged Account Analytics, some architectural changes have been introduced. For more information, see REST API Reference Guide.
Enabling TLS-encryption in an RDP connection policy has been simplified. When the connection is encrypted, Safeguard for Privileged Sessions has to show a certificate to the peer. You can define the type of certificate to show to the peers. For details, see Enabling TLS-encryption for RDP connections.
You can now configure the required minimum version of the default web listener. The default setting is TLS 1.2. For details, see Configuring user and administrator login addresses.
You can now select the depth of indexing: lightweight and full indexing. Lightweight indexing is now enabled by default, you only have to configure it if you want full indexing. Lightweight indexing is faster than full indexing, and indexes only Command and Window title events. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window). For details, see Configuring the internal indexer.
RDP 4 and RDP 5 have been removed from Creating and editing protocol-level RDP settings.
Plugin configuration files in debug bundle: When creating debug bundles for troubleshooting purposes, PSM now includes the configuration files of any plugins installed. For details, see "Collecting logs and system information for error reporting" in the Administration Guide.
Added description of scbAMQPError to Basic settings.
In addition to displaying upgrade logs and boot messages on the local console, Safeguard for Privileged Sessions now shows information about the upgrade and reboot processes on the web interface, too. For details, see Managing Safeguard for Privileged Sessions and Managing Safeguard for Privileged Sessions.
You can now configure Certificate Revocation Lists (CRLs) to be included in certificates. For further details, see Signing certificates on-the-fly.
Added description of how to configure the IPMI interface from the BIOS. For details, see Configuring the IPMI interface from the BIOS and Configuring the IPMI interface from the BIOS after losing IPMI password.
Added section explaining limitation when using the TN5250 protocol with IBM iSeries Access for Windows. For detailed information, see Limitations of using TN5250 protocol with IBM iSeries Access for Windows.
Added explanation of why audit trails could have the Indexing (queued / all) status in the Waiting for processing section. For more information, see Indexing audit trails.
It is now possible to create customized configuration instances of Credential Store and Authentication and Authorization (AA) plugins if the plugin .zip file includes an optional sample configuration file. For more information, see Using a custom Credential Store plugin to authenticate on the target hosts and Authorizing connections to the target hosts with a Safeguard for Privileged Sessions plugin.
You can now customize the configuration of the syslog-ng application that is running on Safeguard for Privileged Sessions. For details, see Customize system logging in Safeguard for Privileged Sessions.
Any feedback is greatly appreciated, especially on what else this document should cover. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at firstname.lastname@example.org.