Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Handling user names in User Principal Name (UPN) format Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and user groups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Sessions interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Finding specific user groups

To search the names and privileges of user groups, use the search and filter interface of the Filter ACLs section of the Users & Access Control > Appliance Access page.

Figure 88: Users & Access Control > Appliance Access — Finding specific user groups

  • To filter on a specific user group, enter the name of the group into the Group field and select Search.

  • To select user groups who have a specific privilege, click Edit, select the privilege(s) you are looking for, and click Search.

  • To filter for read or write access, use the Type option.

Using user groups

How you should name user groups depends on the way you manage your One Identity Safeguard for Privileged Sessions (SPS) users.

  • Local users: If you use only local users, create or modify user groups on the Users & Access Control > Local User Groups page, assign or modify privileges on the Users & Access Control > Appliance Access page, and add users to the groups on the Users & Access Control > Local Users or the Users & Access Control > Local User Groups page.

  • LDAP users and LDAP groups: If you manage your users from LDAP and also have LDAP groups that match the way you want to group your SPS users, create or modify your user groups on the Users & Access Control > Appliance Access page and ensure that the name of your LDAP group and the SPS user group is the same. For example, to make members of the admins LDAP group be able to use SPS, create a user group called admins on the Users & Access Control > Appliance Access page and edit the privileges of the group as you need.

  • RADIUS users and local groups: This is the case when you manage users from RADIUS, but you cannot or do not want to create groups in LDAP. Create your local groups on the Users & Access Control > Appliance Access page, and add your RADIUS users to these groups on the Users & Access Control > Local User Groups page.

Built-in user groups of One Identity Safeguard for Privileged Sessions (SPS)

One Identity Safeguard for Privileged Sessions (SPS) has the following user groups built in by default.

NOTE: You can modify and delete these user groups as you see fit.

Figure 89: Users & Access Control > Appliance Access — Built-in user groups of SPS

Caution:

If you use LDAP authentication on the SPS web interface and want to use the default user groups, you have to create these groups in your LDAP database and assign users to them. For more information on using user groups, see Using user groups.

  • basic-view: View the settings in the Basic Settings menu, including the system logs of SPS. Members of this group can also run commands on the Troubleshooting tab.

  • basic-write: Edit the settings in the Basic Settings menu. Members of this group can manage SPS as a host.

  • auth-view: View the names and privileges of the SPS administrators, the configured user groups, and the authentication settings in the Users & Access Control menu. Members of this group can also view the history of configuration changes.

  • auth-write: Edit authentication settings and manage users and user groups.

    Caution:

    Members of the auth-write group, or any other group with write privileges to the Users & Access Control menu are essentially equivalent to SPS system administrators, as they can assign any privilege to themselves. Users with limited rights must never have such privileges.

    If users with write privileges to the Users & Access Control menu assign new privileges to themselves (for example, they assign themselves group membership to a new group), then they can apply the new privilege by logging in to the SPS web interface again.

  • search: Browse and download various logs and alerts in the Sessions menu. The members of this group have access to the audit trail files as well. Note that to open encrypted audit trail files, the proper encryption keys are required.

  • changelog: View the history of SPS configuration changes in the Users & Access Control > Configuration History menu.

  • report: Browse, create and manage reports, and add statistics-based chapters to the reports in the Reports menu. Users with this privilege can access every report. To give access to users only to specific reports, use the Reports are accessible by the following groups option of the report. For more information, see Configuring custom reports.

    NOTE: To control exactly which statistics-based chapters and reports can the user include in a report, use the Use static subchapters privileges.

  • policies-view: View the policies and settings in the Policies menu.

  • policies-write: Edit the policies and settings in the Policies menu.

  • ssh-view: View all connection and policy settings in the Traffic Controls > SSH menu.

  • ssh-write: Edit all connection and policy settings in the Traffic Controls > SSH menu.

  • rdp-view: View all connection and policy settings in the Traffic Controls > RDP menu.

  • rdp-write: Edit all connection and policy settings in the Traffic Controls > RDP menu.

  • telnet-view: View all connection and policy settings in the Traffic Controls > Telnet menu.

  • telnet-write: Edit all connection and policy settings in the Traffic Controls > Telnet menu.

  • vnc-view: View all connection and policy settings in the Traffic Controls > VNC menu.

  • vnc-write: Edit all connection and policy settings in the Traffic Controls > VNC menu.

  • indexing: Allows hosts running external indexers to access and download audit trails for automatic indexing.

    NOTE: The members of this group can access the SPS web interface as well, and download any audit trail directly.

  • ica-view: View all connection and policy settings in the Traffic Controls > ICA menu.

  • ica-write: Edit all connection and policy settings in the Traffic Controls > ICA menu.

  • http-view: View all connection and policy settings in the Traffic Controls > HTTP menu.

  • http-write: Edit all connection and policy settings in the Traffic Controls > HTTP menu.

  • indexer-view: View all connection and policy settings in the Indexer menu.

  • indexer-write: Edit all connection and policy settings in the Indexer menu.

ACL access and summary list

This section contains the access and summary list of Access Control Lists (ACLs) available in One Identity Safeguard for Privileged Sessions (SPS).

For more information about managing user rights and user groups in SPS in general, see Managing user rights and user groups.

ACL element

Menu items to which access is granted on the SPS UI

ACL summary

All

Every menu point

Gives access to every setting.

System Debug

Basic Settings > Troubleshooting > Create support bundle

Enables support bundle generation.

Policy Administrator

Traffic Control > Quick Connection Setup

Enables configuring SSH connections and their connection-related policies.

Traffic Control > SSH

Policies > Analytics policies

Policies > Audit policies

Policies > Content policies

Policies > Local User Databases

Policies > Time policies

Policies > User Lists

Policies > Usermapping policies

Import configuration

Basic Settings > System > Import configuration

Enables configuration import.

Export configuration

Basic Settings > System > Export configuration

Enables configuration export.

Firmware

Basic Settings > System > Firmwares

Enables uploading, installing and deleting firmwares on SPS.

Use static subchapters ACLs

Does not affect menu points.

Restricts users to add only specific subchapter types to reports.

REST server / REST configuration

Traffic Controls > Quick Connection Setup

Enables configuring connections via the Connection Setup Wizard and the REST API.

REST Server / REST

Users & Access Control > Audit Data Access

Enables configuring audit data access rules (ADARs) for user groups.

Active sessions

Pending Connections > Active connections

Gives access to view and terminate all active sessions monitored by SPS.

Basic Settings / Network

Basic Settings > Network

Enables configuring network-related settings.

Basic Settings / Local services

Basic Settings > Local services

Enables configuring various services of SPS.

Basic Settings / Management

Basic Settings > Management

Gives access to configuring system-level settings.

Basic Settings > Cluster Management

Enables configuring multiple SPS appliances joining into cluster for scalability, easier monitoring and auditing. Additionally, it enables joining SPS to One Identity Safeguard for Privileged Passwords (SPP).

Basic Settings > Trust stores

Enables configuring local certificate storage for storing trusted certificates that validate TLS connections. Additionally, it authorizes the user to manage cryptography settings.

Basic settings / Alerting Monitoring

Basic Settings > Alerting and monitoring

Gives access to alerting and monitoring configuration.

Basic settings / Date and time

Basic Settings > Date & Time

Gives access to date and time configuration.

Basic settings / Dashboard

Basic Settings > Dashboard

Gives access to various statistics and status history of system data and performance on the dashboard.

Basic settings / System

Basic Settings > System

Gives access to system-related configuration.

Basic settings / Troubleshooting

Basic settings > Troubleshooting

Gives access to tools that help troubleshooting network issues, viewing log files and generating support bundles.

Basic settings / Plugins

Basic settings > Plugins

Gives access to plugin management.

Basic settings / High availability

Basic settings > High availability

Gives access to high availability setup.

Basic settings / Cluster management

Basic settings > Cluster management

Gives access to cluster management.

Basic settings / Join to Starling

Basic settings > Starling integration

Gives access to the Starling Integration configuration and status page.

Audit / Sessions

Audit > Sessions

Enables querying sessions. However, without an audit data access rule (ADAR), no session data is visible. Gives access to the Audit > Sessions page.

Audit / Access all sessions

Does not affect menu points.

Authorizes to search and view all sessions, but does not give access to the Audit > Sessions page. In other words, it works like an unfiltered ADAR.

Audit / Access all users

Audit > Users

Enables viewing data about audited users. However, it does not give access to view user-related session data. To view user-related session data, you either need the combination of Audit / Sessions ACL with ADAR, or the combination of the Audit / Sessions ACL and the Audit / Access all sessions ACL.

Users & Access Control / Settings

Users & Access Control > Settings

Enables configuring the login settings of SPS.

Users & Access Control / Local Users and Groups

Users & Access Control > Local Users and Groups

Enables configuring local users and local user groups for accessing SPS.

Users & Access Control / Access Control

Users & Access Control > Appliance Access

Enables configuring access control for user groups.

Users & Access Control / Accounting

Users & Access Control > Configuration History

Enables access to view the configuration history of SPS.

Users & Access Control / Permission Query

Users & Access Control > Access Rights Report

Enables viewing access rights reports.

Policies / AA Plugin Configurations

Policies > AA Plugin Configurations

Enables configuring authentication and authorization plugins to authenticate to target hosts.

Policies / Analytics Policies

Policies > Analytics Policies

Enables configuring analytics policies that specify algorithms to analyze monitored user behavior and build user baselines.

Policies / Audit Policies

Policies > Audit Policies

Enables configuring audit policies specifying encryption, signature and timestamping of the recorded audit trail files.

Policies / Backup & Archive

Policies > Backup & Archive

Enables configuring policies to backup and archive audit data.

Policies / Audit Data Cleanup Policies

Policies > Audit Data Cleanup Policies

Enables configuring policies to cleanup audit data.

Policies / Content Policies

Policies > Content Policies

Enables configuring policies to take action when a predefined content appears in a session.

Policies / Credential Stores

Policies > Credential Stores

Enables configuring user credential stores that store credentials for authenticating to target servers.

Policies / Indexer Policies

Policies > Indexer Policies

Enables configuring policies specifying what data to capture and index from sessions.

Policies / LDAP Servers

Policies > LDAP Servers

Enables configuring LDAP servers to query users and user groups for authentication purposes.

Policies / Local User Databases

Policies > Local User Databases

Enables configuring databases storing user credentials for authenticating clients on SPS in gateway authentication scenarios.

Policies / Signing CAs

Policies > Signing CAs

Enables configuring certificate authorities (CAs) for signing certificates.

Policies / Time Policies

Policies > Time Policies

Enables configuring time intervals to use in other policy settings.

Policies / Trusted CA Lists

Policies > Trusted CA Lists

Enables configuring trusted certificate authorities for validating certificates.

Policies / User Lists

Policies > User Lists

Enables configuring user lists specifying user access for sessions.

Policies / Usermapping Policies

Policies > Usermapping Policies

Enables configuring policies specifying who can use a specific user name to access the remote server.

Indexer

Indexer Status

Enables viewing information related to session indexing.

HTTP Control ACLs

Menu points under Traffic Controls > HTTP.

Enables configuring HTTP connections.

ICA Control ACLs

Menu points under Traffic Controls > ICA.

Enables configuring ICA connections.

MSSQL Control ACLs

Menu points under Traffic Controls > MSSQL.

Enables configuring MSSQL connections.

RDP Control ACLs

Menu points under Traffic Controls > RDP.

Enables configuring RDP connections.

SSH Control ACLs

Menu points under Traffic Controls > SSH.

Enables configuring SSH connections.

Sudo iolog Control

Traffic Controls > Sudo iolog

Enables configuring Sudo iolog connections.

Telnet Control ACLs ACLs

Menu points under Traffic Controls > Telnet.

Enables configuring Telnet connections.

VNC Control ACLs

Menu points under Traffic Controls > VNC.

Enables configuring VNC connections.

Reporting ACLs

Menu points under Reporting.

Enables configuring, generating and downloading reports via SPS.

Unlock Credential Store

User menu > Unlock Credential store

Enables accessing user credential stores that store credentials for authenticating to target servers.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating