Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.7.0 - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 5.7

Release Notes

November 2018

These release notes provide information about the One Identity Safeguard for Privileged Sessions release.


About this release

Welcome to One Identity Safeguard for Privileged Sessions. This document describes what is new in the latest version of One Identity Safeguard for Privileged Sessions (SPS).

Upgrade to the new release

This is a feature release, which means that it will be supported for 6 months after the release date or 2 months after the release of a succeeding feature release (whichever date is later). It also means that if you are running a previous feature release (such as versions 5 F1 or 5 F2), you have 2 months to upgrade to version 5 F7 if you want to keep running on a supported release.

For a full description of stable and feature releases, open the SPS product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.

Who should upgrade

We recommend you to upgrade to SPS 5 F7, if you are not running SPS on Pyramid hardware and any of the following is true:


Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later feature releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create debug bundle for support ticket, click Create and save debug bundle from current system state, and save the file.

  3. Open a ticket at

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

  • You wish to take advantage of any of the new features.

  • You are running a previous feature release.

  • You are OK with having to continuously upgrade to the latest feature release to remain supported.

    We are releasing new feature releases approximately once every 2 months.


Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 4.0) to a feature release (4.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 5.0) is published.

How to upgrade

For step-by-step instructions on upgrading to SPS 5 F7 see Upgrade Guide guide.

New Features

Search queries and statistics as custom report subchapters

It is now possible to turn any search query or statistics into a subchapter that can be included in reports. You can define reports about the monitored traffic in a more flexible and easy-to-use way than was possible before. For details, see "Creating report subchapters from search queries" in the Administration Guide.

Improvements to central configuration management

Starting with version 5 F6, it became possible to join multiple SPS nodes into a cluster, monitor their status, and update their configuration from a central location. In this new version, this feature was improved in a number of ways:

  • You can now promote a node to become the Central Management node and join additional nodes to the cluster using the web interface of One Identity Safeguard for Privileged Sessions. Previously, building a cluster was only possible through the REST API.
  • When building a cluster, using the REST API, you can now query the join status of nodes to find out whether or not particular nodes have been joined to a cluster.
  • When using a configuration synchronization plugin, it is now possible to enable the plugin through the web interface. Previously, this was also only possible through the REST API.
  • SPS now also provides information about the status of configuration synchronization.
  • When you want to create a backup or archive policy on SPS instances that are nodes in a cluster, you can choose to include the node ID in the path to the relevant directory name to prevent cluster nodes from backing up data to the same location, and so overwriting each other's data. For details, see "Data and configuration backups" in the Administration Guide and "Archiving and cleanup" in the Administration Guide.
  • When querying the status of all nodes or one particular node using the /api/cluster/status endpoint, the response now contains the hash of the latest downloaded configuration file (downloaded_xml_hash) that the nodes used for configuration synchronization.

Note that the cluster management feature is currently in an experimental status: consult your Support representative before enabling it.

For details, see "Managing Safeguard for Privileged Sessions clusters" in the Administration Guide and "Manage Safeguard for Privileged Sessions clusters" in the REST API Reference Guide.

Improvements to command algorithm

The command algorithm of One Identity Safeguard for Privileged Analytics has been improved significantly. Previously, the algorithm only analyzed users' activities separately for each user. Starting with this version, we also check if a command is issued frequently on the given server or globally by the majority of the users to improve the false positive rate.

For details on how to analyze user behavior with the help of algorithms, see "Analyzing data using One Identity Safeguard for Privileged Analytics" in the Administration Guide.

Deprecation of RPC API

The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.

REST API improvements
  • When querying the /api/info endpoint, the response now contains the hash of the XML database (config_hash) running on a given SPS host.

For details, see "Retrieve basic firmware and host information" in the REST API Reference Guide.


All Plugins have been updated to work with One Identity Safeguard for Privileged Sessions version 5.7.0.

  • The Duo Multi-Factor Authentication plugin has been updated for Duo Client version 3.3.0.
  • A new Credential Store plugin is available for Safeguard for Privileged Passwords.
  • A new Log Adapter plugin is available for SSHD application logs.
Other changes
Free 2-month trial of One Identity Safeguard for Privileged Analytics available for all users

You can now enable One Identity Safeguard for Privileged Analytics for free for 60 days on your SPS host to gain insight into what your users are doing, and how risky their actions are.

For details, see Safeguard for Privileged Analytics Configuration Guide.

Resolved Issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved Issue Issue ID
Binary traffic on SSH session-exec channel could cause indexer generate huge amount of command and screen content garbage. PAM-5703
PSM cannot operate with less than 4 network interfaces attached PAM-5467

When the 'Report status' ACL is enabled for a group in the 'AAA > Access Control' menu on an SCB 3 F5, upgrading to SCB 4LTS (or newer versions) will display this entry as

'!!! Invalid ACL entry !!!'.

RDP user credentials could appear in logs with increased log levels PAM-5388
Possible RDP authentication failure when Network Level Authentication is enabled PAM-5091
Committing on the Channel Policies page erases the network settings of channel policies PAM-4910
Unnecessary spoofing alerts while using the product behind load-balanced HTTP proxies PAM-4241
Accessing the Basic Settings page emits a log message if the license does not have the HA license option PAM-4177
Confusing warning message when stopping a proxy service PAM-4122
Bogus sessions visible on the new search UI for some RDP sessions PAM-3979
Table 2: [Configuration synchronization] resolved isues
Resolved Issue Issue ID
The configuration sync plugin is not executed PAM-5748
Cluster management: configuration synchronization fails due to validation warning PAM-5701
Web UI unusable after firmware upgrade on a PSM with managed-host role PAM-5583
Configuration synchronization removed AA plugins and Credential Store plugins on the managed host of a cluster PAM-5546
Table 3: [Upgrade] resolved isues
Resolved Issue Issue ID
Downgrading the appliance between certain versions can make it unable to boot PAM-5163
Progress of database upgrade is not visible on the console during upgrade PAM-5100
Failed plugin uploads can prevent later upgrades PAM-5395
Check if the secondary HA node is down before upgrade PAM-3549
Table 4: [Replaying audit trails] resolved isues
Resolved Issue Issue ID
Online player does not highlight events properly PAM-5406
Balabit Desktop Player now supports Apple Remote Desktop with RFB 3.889 PAM-4683
Table 5: [Plugins] resolved isues
Resolved Issue Issue ID
Change default Starling plugin configuration to Active Directory PAM-6103
Starling plugin does not fill in push details correctly PAM-6092
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating