Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Creating an import file

When importing objects, such as accounts, assets, or users, Safeguard for Privileged Passwords expects the import file to be a Comma Separated Values (CSV) file.

A CSV file is a text file used to store database entries where each line is a unique record and each record consists of fields of data separated by commas. The easiest way to create a CSV file is by using a spreadsheet program such as Microsoft Excel; however, you can use any text editor, such as Notepad, to create a comma-delineated file, as long as you save the file with a .csv file type extension.

The order of the columns is not important, but the title of the column must match the property name.

Important: You must not add any trailing spaces in the properties you define in the CSV file.

To create a customized .csv file template

  1. In the Import dialog, click (or tap) CSV Template Assistant.
  2. Select specific template properties from the template properties table, or select the "select all" check box in the heading.

    Note: Safeguard for Privileged Passwords preselects the required properties; you can select any additional properties you desire.

  3. Select Download Template to save a copy of the template properties table to a location of your choice.

    TIP: Click (or tap) the View icon in the Values column to display a list of allowable values. Click (or tap) Copy to copy the selected value to your copy buffer which can then be pasted into your CSV file.

    NOTE: Click (or tap) Export Full Table, in upper the right corner above the properties table, to save a copy of the properties table.

  4. Locate the downloaded template and add your specific information to the template.

    TIP: Users AdminRoles property: The value for the Authorizer Administrator is "GlobalAdmin".

    Note:Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file with the follow exceptions:

    • Assets PlatformDisplayName property.
      1. If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match it supplies the <platform> Other platform, such as "Other Linux".
      2. If it does not find a partial match, it supplies the Other platform type.
    • Users TimeZoneId property.
      1. If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no timezone was provided), it uses the local workstation's current timezone.

        Note: Do not enter numbers or abbreviations for TimeZoneId.

    • Users Password property.
      1. Safeguard for Privileged Passwords adds a user without validating the password you provide.
  5. Use the customized .csv file to import the objects.

Checking, changing, or setting an account password

The Asset Administrator can manually check, change, or set an account password from the Account Security menu.

To manually check, change, or set an account password

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, select an account from the object list.
  3. Click (or tap)  Account Security from the toolbar.

    Note: You can also right-click (or press and hold) the account name to open the context menu.

    Select one of these options:

    • Check Password to verify the account password is in sync with the Safeguard for Privileged Passwords database. If the password verification fails, you can change it.
    • Change Password to reset and synchronize the account password with the Safeguard for Privileged Passwords database.
    • Set Password to set the account password in the Safeguard for Privileged Passwords database.

      Note: The "Set" option does not change the account password on the asset.

    Note: See the progress and results of the "Check" and "Change" options in the Toolbox | Tasks pane. For more information, see Viewing task status.

  4. The Set Password option provides two options:
    1. Generate Password - select this option to have Safeguard for Privileged Passwords generate a new random password, that complies with the password rule that is set in the account's profile.

      • Click (or tap) Generate Password to display the Generate Password dialog.
      • Click (or tap) Show Password to reveal the new password.
      • Click (or tap)  Copy to put it into your copy buffer.
      • Log into your device, using the old password, and change it to the password in your copy buffer.
      • Click (or tap) OK to change the password in the Safeguard for Privileged Passwords database or click (or tap) Cancel to close the dialog without changing the current password in Safeguard for Privileged Passwords.
    2. Manual Password - select this option to manually set the account password in the Safeguard for Privileged Passwords database.

      • Click (or tap) Manual Password to display the Set Password dialog.
      • In the Set Password dialog, enter the password and click (or tap) OK.

        Clicking OK updates the Safeguard for Privileged Passwords database.

      • Set the account password on the physical device to synchronize it with the Safeguard for Privileged Passwords database.

Viewing password archive

The Asset Administrator and Auditor can access a previous password for an account for a specific date.

NOTE: The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset.

To access an account's previous password

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, right-click (or press and hold) an account name and choose Password Archive.

    Or, click (or tap) Password Archive from the toolbar.

  3. In the Password Archive dialog, select a date.

    TIP: If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current password.

  4. In the View column, click (or tap) to display the password that was assigned to the asset at that given date and time.
  5. In the details dialog, click (or tap) Copy to copy the password to your copy buffer, or click (or tap) OK to close the dialog.

Note: You view an account's password validation and reset history on the Check and Change Log tab.

Account Groups

A Safeguard for Privileged Passwords account group is a set of accounts which you can add to the scope of an access request policy. For more information, see Creating an access request policy.

The Auditor and the Security Policy Administrator have permission to access Account Groups.

The Account Groups view displays the following information about the selected account group.

Table 37: Account Groups: Tabs
Tab Description
General tab Displays general information about the selected account group.
Accounts tab Displays the accounts associated with the selected account group.
Access Request Policies tab Displays the entitlements and access request policies associated with the selected account group.
History tab Displays the details of each operation that has affected the selected account group.

Use these toolbar buttons to manage account groups.

Table 38: Account Groups: Toolbar
Option Description

Add | Account Group

Add account groups to Safeguard for Privileged Passwords. For more information, see Adding an account group.

Add | Dynamic Account Group

Add dynamic account groups to Safeguard for Privileged Passwords. For more information, see Adding a dynamic account group.
Delete Selected

Remove the selected account group from Safeguard for Privileged Passwords. For more information, see Deleting an account group.

Refresh

Update the list of account groups.

Related Documents