Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.5.0 - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 6.5

Release Notes

March 2020

These release notes provide information about the One Identity Safeguard for Privileged Sessions 6.5 release.


About this release

One Identity Safeguard for Privileged Sessions Version 6.5 is a release with new features and resolved issues. For details, see:


For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

New features

New features in SPS version: 6.5:

Safeguard for Privileged Passwords (SPP) fetcher role

A new, experimental SPP fetcher role has been added to the Cluster management roles. It fetches the workflow from SPP. The fetched data can be viewed on the Search interface.


This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to

Audit data access rules

You can now restrict users to access audit data only for sessions for which they are granted permission.

Renaming of the AAA menu and submenus

The following menu items have been renamed. Note that there is no functionality change.

Old name New name
AAA Users & Access Control
Group Management Local User Groups
Access Control Appliance Access
Permission Query Access Rights Report


Configuration History

Permissions settings for user groups under <Protocol name> Control > Connections > Access Control > Permission have also been renamed from Search&Authorize to Follow&Authorize and Search to Follow.

Trusted CA CRL handling

SPS now checks if the Certificate Revocation List (CRL) has expired and that the CRL has been signed by the same Certificate Authority (CA).

Mouse movement algorithm

The mouse-movement-based user authentication algorithm is able to tell whether a user is who they say they are based on their mouse movements.

RDP login screen enhancements

The RDP login screen now allows you to paste text-based clipboard contents. It also provides a warning if Caps Lock is on.

REST API improvements
  • You can now check the synchronization status of cluster nodes. The value of the sync_status field displays whether the configuration of the SPS cluster node is synchronized with the configuration of the Central-Management node. For more information, see "Query the status of all nodes in the cluster" in the REST API Reference Guide and "Query the status of one particular node" in the REST API Reference Guide.

    NOT FETCHED has been added as a new status to Basic Settings > Cluster management > Cluster management status.

  • For ICA, RDP and SSH protocols, the inactivity_timeout parameter has been added to the api/configuration/<protocol>/settings_policies endpoint.

    In addition to the REST API, the following has changed on the SPS UI:

    The User idle timeout option has been added to ICA, RDP, SSH, Telnet and VNC Control > Settings. If no user activity is detected, it terminates the session after the configured time has passed since the last user activity.

  • You can now generate reports for a custom time period on the api/configuration/reporting/reports endpoint.

  • The list of Telnet pattern sets that help to extract the username from Telnet connections is now available in REST API. The api/configuration/telnet/pattern_sets endpoint has been added.

  • The mouse algorithm has been added to the /api/configuration/policies/analytics endpoint.

Other improvements
  • Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication.

  • New parameters have been added to the Authentication and Authorization and Credential Store plugins to replace deprecated parameters.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating